Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2025-49812


In some mod_ssl configurations on Apache HTTP Server versions through to 2.4.63, an HTTP desynchronisation attack allows a man-in-the-middle attacker to hijack an HTTP session via a TLS upgrade. Only configurations using "SSLEngine optional" to enable TLS upgrades are affected. Users are recommended to upgrade to version 2.4.64, which removes support for TLS upgrade.


Published

2025-07-10T17:15:48.193

Last Modified

2025-07-29T15:09:47.573

Status

Analyzed

Source

[email protected]

Severity

CVSSv3.1: 7.4 (HIGH)

Weaknesses
  • Type: Secondary
    CWE-287

Affected Vendors & Products
Type Vendor Product Version/Range Vulnerable?
Application apache http_server < 2.4.64 Yes

References