CVE-2025-49812 — Apache HTTP Server: mod_ssl TLS upgrade attack

Description

In some mod_ssl configurations on Apache HTTP Server versions through to 2.4.63, an HTTP desynchronisation attack allows a man-in-the-middle attacker to hijack an HTTP session via a TLS upgrade. Only configurations using "SSLEngine optional" to enable TLS upgrades are affected. Users are recommended to upgrade to version 2.4.64, which removes support for TLS upgrade.

How to fix CVE-2025-49812

To remediate CVE-2025-49812, upgrade the affected package to a fixed version below.

—upgrade to 2.4.64-r0 or later
—upgrade to 2.4.64 or later
—upgrade to 2.4.65-1~deb11u1 or later

Is CVE-2025-49812 being exploited?

Low — EPSS is 0.5%, meaning exploitation activity has not been observed at scale.

Affected packages (3)

from 0, < 2.4.64-r0
from 0, < 2.4.64
from 0, < 2.4.65-1~deb11u1

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.4	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

References (8)

ADVISORYsecurity.alpinelinux.org/vuln/CVE-2025-49812
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2025-49812
WEBhttpd.apache.org/security/vulnerabilities_24.html
WEBlists.debian.org/debian-lts-announce/2025/08/msg00009.html