Cyber Resilience

CVE-2023-25690

CriticalPublic PoC

Published: 07 March 2023

Published
07 March 2023
Modified
18 December 2025
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.6701 98.6th percentile
Risk Priority 60 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-25690 is a critical-severity HTTP Request/Response Smuggling (CWE-444) vulnerability in Apache Http Server. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 1.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

CVE-2023-25690 is an HTTP request smuggling vulnerability affecting Apache HTTP Server versions 2.4.0 through 2.4.55. It occurs in certain mod_proxy configurations that combine RewriteRule or ProxyPassMatch directives with non-specific patterns; these patterns capture portions of a user-supplied request-target and re-insert them via variable substitution into the backend request, enabling attackers to manipulate request boundaries.

An unauthenticated remote attacker can send crafted HTTP requests that exploit the smuggling condition to bypass proxy access controls, reach unintended origin URLs, or poison cache entries. The flaw carries a CVSS 3.1 score of 9.8 and is tracked under CWE-444.

Advisories from the Apache project and downstream distributions such as Debian and Gentoo recommend upgrading to version 2.4.56 or later; the official Apache security page details the affected directive patterns and confirms that the fix eliminates the variable-substitution path that permitted request splitting.

The associated EPSS score has remained elevated, with a current value of 0.6701 and a recorded peak of 0.6820; public exploit code has been posted to Packet Storm.

EU & UK References

Vulnerability details

Some mod_proxy configurations on Apache HTTP Server versions 2.4.0 through 2.4.55 allow a HTTP Request Smuggling attack. Configurations are affected when mod_proxy is enabled along with some form of RewriteRule or ProxyPassMatch in which a non-specific pattern matches some portion…

more

of the user-supplied request-target (URL) data and is then re-inserted into the proxied request-target using variable substitution. For example, something like: RewriteEngine on RewriteRule "^/here/(.*)" "http://example.com:8080/elsewhere?$1"; [P] ProxyPassReverse /here/ http://example.com:8080/ Request splitting/smuggling could result in bypass of access controls in the proxy server, proxying unintended URLs to existing origin servers, and cache poisoning. Users are recommended to update to at least version 2.4.56 of Apache HTTP Server.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

apache
http server
2.4.0 — 2.4.55

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References