Cyber Resilience

CVE-2025-49630

High

Published: 10 July 2025

Published
10 July 2025
Modified
04 November 2025
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0267 86.2th percentile
Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-49630 is a high-severity Reachable Assertion (CWE-617) vulnerability in Apache Http Server. Its CVSS base score is 7.5 (High).

Operationally, ranked in the top 13.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

CVE-2025-49630 is a reachable assertion vulnerability (CWE-617) in Apache HTTP Server versions 2.4.26 through 2.4.63 that affects the mod_proxy_http2 module. It is triggered only in reverse-proxy configurations that use an HTTP/2 backend and have ProxyPreserveHost set to "on", allowing an unauthenticated remote client to cause the server process to abort.

An attacker with network access can send specially crafted requests to the affected proxy, resulting in a denial of service that impacts availability but does not allow code execution or data disclosure. The CVSS 3.1 score of 7.5 reflects the low attack complexity and lack of required privileges or user interaction.

Advisories published on the Apache HTTP Server security page and mirrored on oss-security and Debian LTS lists recommend upgrading to a fixed release or applying vendor patches; they also note that disabling ProxyPreserveHost or avoiding HTTP/2 backends mitigates the issue when an immediate update is not feasible.

The EPSS score rose from a low baseline to a recorded peak of 0.0467 before settling at the current value of 0.0267, indicating measurable post-disclosure interest in exploitation.

EU & UK References

Vulnerability details

In certain proxy configurations, a denial of service attack against Apache HTTP Server versions 2.4.26 through to 2.4.63 can be triggered by untrusted clients causing an assertion in mod_proxy_http2. Configurations affected are a reverse proxy is configured for an HTTP/2…

more

backend, with ProxyPreserveHost set to "on".

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

apache
http server
2.4.26 — 2.4.64

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References