Description
A flaw was found in the mod_auth_openidc module for Apache httpd. This flaw allows a remote, unauthenticated attacker to trigger a denial of service by sending an empty POST request when the OIDCPreservePost directive is enabled. The server crashes consistently, affecting availability.
Problem types
Product status
2.0.0 (semver) before 2.4.13.1
8100020250426100353.489197e6 (rpm) before *
8020020250612174445.4cda2c84 (rpm) before *
8040020250618101351.522a0ee4 (rpm) before *
8060020250617090503.ad008a3a (rpm) before *
8060020250617090503.ad008a3a (rpm) before *
8060020250617090503.ad008a3a (rpm) before *
8080020250617090716.63b34585 (rpm) before *
8080020250617090716.63b34585 (rpm) before *
0:2.4.10-1.el9_6.2 (rpm) before *
0:2.4.9.4-1.el9_0.3 (rpm) before *
0:2.4.9.4-1.el9_2.3 (rpm) before *
0:2.4.9.4-4.el9_4.2 (rpm) before *
Timeline
| 2025-04-22: | Reported to Red Hat. |
| 2025-04-29: | Made public. |
References
lists.debian.org/debian-lts-announce/2025/05/msg00007.html
access.redhat.com/errata/RHSA-2025:10002 (RHSA-2025:10002)
access.redhat.com/errata/RHSA-2025:10003 (RHSA-2025:10003)
access.redhat.com/errata/RHSA-2025:10004 (RHSA-2025:10004)
access.redhat.com/errata/RHSA-2025:10006 (RHSA-2025:10006)
access.redhat.com/errata/RHSA-2025:10007 (RHSA-2025:10007)
access.redhat.com/errata/RHSA-2025:10008 (RHSA-2025:10008)
access.redhat.com/errata/RHSA-2025:10010 (RHSA-2025:10010)
access.redhat.com/errata/RHSA-2025:4597 (RHSA-2025:4597)
access.redhat.com/errata/RHSA-2025:9396 (RHSA-2025:9396)
access.redhat.com/security/cve/CVE-2025-3891
bugzilla.redhat.com/show_bug.cgi?id=2361633 (RHBZ#2361633)
github.com/...ommit/6a0b5f66c87184dfe0e4400f6bdd46a82dc0ec2b
github.com/...penidc/security/advisories/GHSA-x7cf-8wgv-5j86