CVE-2023-25690
Published: 07 March 2023
Summary
CVE-2023-25690 is a critical-severity HTTP Request/Response Smuggling (CWE-444) vulnerability in Apache Http Server. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 1.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
CVE-2023-25690 is an HTTP request smuggling vulnerability affecting Apache HTTP Server versions 2.4.0 through 2.4.55. It occurs in certain mod_proxy configurations that combine RewriteRule or ProxyPassMatch directives with non-specific patterns; these patterns capture portions of a user-supplied request-target and re-insert them via variable substitution into the backend request, enabling attackers to manipulate request boundaries.
An unauthenticated remote attacker can send crafted HTTP requests that exploit the smuggling condition to bypass proxy access controls, reach unintended origin URLs, or poison cache entries. The flaw carries a CVSS 3.1 score of 9.8 and is tracked under CWE-444.
Advisories from the Apache project and downstream distributions such as Debian and Gentoo recommend upgrading to version 2.4.56 or later; the official Apache security page details the affected directive patterns and confirms that the fix eliminates the variable-substitution path that permitted request splitting.
The associated EPSS score has remained elevated, with a current value of 0.6701 and a recorded peak of 0.6820; public exploit code has been posted to Packet Storm.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-29605
Vulnerability details
Some mod_proxy configurations on Apache HTTP Server versions 2.4.0 through 2.4.55 allow a HTTP Request Smuggling attack. Configurations are affected when mod_proxy is enabled along with some form of RewriteRule or ProxyPassMatch in which a non-specific pattern matches some portion…
more
of the user-supplied request-target (URL) data and is then re-inserted into the proxied request-target using variable substitution. For example, something like: RewriteEngine on RewriteRule "^/here/(.*)" "http://example.com:8080/elsewhere?$1"; [P] ProxyPassReverse /here/ http://example.com:8080/ Request splitting/smuggling could result in bypass of access controls in the proxy server, proxying unintended URLs to existing origin servers, and cache poisoning. Users are recommended to update to at least version 2.4.56 of Apache HTTP Server.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.