Expression Evaluation Bug in Apache HTTP Server by Apache
CVE-2025-54090

6.3MEDIUM

Key Information:

Vendor: Apache
Status: Apache Http Server
Vendor: CVE Published:; 23 July 2025

What is CVE-2025-54090?

A bug in Apache HTTP Server 2.4.64 leads to a malfunction where all 'RewriteCond expr ...' tests are incorrectly evaluated as 'true'. This flaw can potentially disrupt functionality and allow unintended access based on the misinterpretation of conditions. Users are strongly urged to update to version 2.4.65, where this issue is resolved, enhancing security and ensuring correct behavior of the server.

Affected Version(s)

Apache HTTP Server 2.4.64

References

https://httpd.apache.org/security/vulnerabilities_24.html

vendor-advisory

CVSS V3.1

Score:

6.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jul 23, 2025
Vulnerability Reserved
Jul 16, 2025