Denial of Service Vulnerability in Apache HTTP Server Proxy Configurations
CVE-2025-49630

7.5HIGH

Key Information:

Vendor: Apache
Status: Apache Http Server
Vendor: CVE Published:; 10 July 2025

What is CVE-2025-49630?

A denial of service vulnerability exists in Apache HTTP Server 2.4.26 to 2.4.63 when certain proxy configurations are in place. This issue can be exploited by untrusted clients causing an assertion failure in mod_proxy_http2. Affected installations that utilize a reverse proxy with ProxyPreserveHost set to 'on' are particularly susceptible. Administrators are advised to review their configurations and apply necessary security measures to mitigate the risk.

Affected Version(s)

Apache HTTP Server 2.4.26 <= 2.4.63

References

https://httpd.apache.org/security/vulnerabilities_24.html

vendor-advisory

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jul 10, 2025
Vulnerability Reserved
Jun 8, 2025

Credit

Anthony CORSIEZ