CVE-2025-54090 — Apache HTTP Server: 'RewriteCond expr' always evaluates to true in 2.4.64

Description

A bug in Apache HTTP Server 2.4.64 results in all "RewriteCond expr ..." tests evaluating as "true". Users are recommended to upgrade to version 2.4.65, which fixes the issue.

How to fix CVE-2025-54090

To remediate CVE-2025-54090, upgrade the affected package to a fixed version below.

Alpine/apache2—upgrade to 2.4.65-r0 or later
—upgrade to 2.4.65 or later
—upgrade to 2.4.65-1 or later

Is CVE-2025-54090 being exploited?

Low — EPSS is 0.9%, meaning exploitation activity has not been observed at scale.

Affected packages (3)

from 0, < 2.4.65-r0
>= 2.4.64, < 2.4.65
from 0, < 2.4.65-1

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM6.3	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

References (7)

ADVISORYsecurity.alpinelinux.org/vuln/CVE-2025-54090
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2025-54090
WEBhttpd.apache.org/security/vulnerabilities_24.html
WEBlists.debian.org/debian-lts-announce/2025/08/msg00009.html