CVE-2025-49812 Information

Description

In some mod_ssl configurations on Apache HTTP Server versions through to 2.4.63 an HTTP desynchronisation attack allows a man-in-the-middle attacker to hijack an HTTP session via a TLS upgrade.

Only configurations using \SSLEngine optional\ to enable TLS upgrades are affected. Users are recommended to upgrade to version 2.4.64 which removes support for TLS upgrade.

Reference

https://httpd.apache.org/security/vulnerabilities_24.html

Related CNNVD

CNNVD-202507-1516 (Published: 2025-07-10)