CVE-2025-3891
Published: 29 April 2025
Summary
CVE-2025-3891 is a high-severity Uncaught Exception (CWE-248) vulnerability in Redhat Enterprise Linux. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked in the top 22.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
The vulnerability CVE-2025-3891 affects the mod_auth_openidc module for Apache httpd. It stems from improper handling of an empty POST request when the OIDCPreservePost directive is enabled, causing the server to crash consistently and resulting in a denial of service that impacts availability. The issue carries a CVSS 3.1 base score of 7.5 and is associated with CWE-248.
A remote unauthenticated attacker can exploit the flaw over the network by sending a specially crafted empty POST request to a vulnerable server with the directive enabled, achieving disruption of service without any authentication or user interaction required.
Red Hat has published multiple advisories (RHSA-2025:10002 through RHSA-2025:10007) that address the issue through updated packages for affected products.
The associated EPSS score remains low, with a current value of 0.0101 and a peak of 0.0133.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-13653
Vulnerability details
A flaw was found in the mod_auth_openidc module for Apache httpd. This flaw allows a remote, unauthenticated attacker to trigger a denial of service by sending an empty POST request when the OIDCPreservePost directive is enabled. The server crashes consistently,…
more
affecting availability.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE-2025-3891 enables denial of service by crashing the Apache httpd server with mod_auth_openidc via an empty POST request when OIDCPreservePost is enabled, facilitating endpoint DoS through application exploitation.
MITRE ATLAS TechniquesAI
MITRE ATLAS techniques
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.