CVE-2025-23048

Description

In some mod_ssl configurations on Apache HTTP Server 2.4.35 through to 2.4.63, an access control bypass by trusted clients is possible using TLS 1.3 session resumption. Configurations are affected when mod_ssl is configured for multiple virtual hosts, with each restricted to a different set of trusted client certificates (for example with a different SSLCACertificateFile/Path setting). In such a case, a client trusted to access one virtual host may be able to access another virtual host, if SSLStrictSNIVHostCheck is not enabled in either virtual host.

How to fix CVE-2025-23048

To remediate CVE-2025-23048, upgrade the affected package to a fixed version below.

• —upgrade to 2.4.64-r0 or later
• —upgrade to 2.4.64 or later
• —upgrade to 2.4.65-1~deb11u1 or later

Is CVE-2025-23048 being exploited?

Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.

Affected packages (3)

• from 0, < 2.4.64-r0
• >= 2.4.35, < 2.4.64
• from 0, < 2.4.65-1~deb11u1

CVSS scores

References (7)

• ADVISORYsecurity.alpinelinux.org/vuln/CVE-2025-23048
• ADVISORYsecurity-tracker.debian.org/tracker/CVE-2025-23048
• WEBhttpd.apache.org/security/vulnerabilities_24.html
• WEBlists.debian.org/debian-lts-announce/2025/08/msg00009.html