CVE-2025-49630
Published: 10 July 2025
Summary
CVE-2025-49630 is a high-severity Reachable Assertion (CWE-617) vulnerability in Apache Http Server. Its CVSS base score is 7.5 (High).
Operationally, ranked in the top 13.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
CVE-2025-49630 is a reachable assertion vulnerability (CWE-617) in Apache HTTP Server versions 2.4.26 through 2.4.63 that affects the mod_proxy_http2 module. It is triggered only in reverse-proxy configurations that use an HTTP/2 backend and have ProxyPreserveHost set to "on", allowing an unauthenticated remote client to cause the server process to abort.
An attacker with network access can send specially crafted requests to the affected proxy, resulting in a denial of service that impacts availability but does not allow code execution or data disclosure. The CVSS 3.1 score of 7.5 reflects the low attack complexity and lack of required privileges or user interaction.
Advisories published on the Apache HTTP Server security page and mirrored on oss-security and Debian LTS lists recommend upgrading to a fixed release or applying vendor patches; they also note that disabling ProxyPreserveHost or avoiding HTTP/2 backends mitigates the issue when an immediate update is not feasible.
The EPSS score rose from a low baseline to a recorded peak of 0.0467 before settling at the current value of 0.0267, indicating measurable post-disclosure interest in exploitation.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-21017
Vulnerability details
In certain proxy configurations, a denial of service attack against Apache HTTP Server versions 2.4.26 through to 2.4.63 can be triggered by untrusted clients causing an assertion in mod_proxy_http2. Configurations affected are a reverse proxy is configured for an HTTP/2…
more
backend, with ProxyPreserveHost set to "on".
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.