Description
In some mod_ssl configurations on Apache HTTP Server versions through to 2.4.63, an HTTP desynchronisation attack allows a man-in-the-middle attacker to hijack an HTTP session via a TLS upgrade. Only configurations using "SSLEngine optional" to enable TLS upgrades are affected. Users are recommended to upgrade to version 2.4.64, which removes support for TLS upgrade.
Problem types
CWE-287 Improper Authentication
Product status
Any version
Timeline
| 2025-04-22: | Report received |
| 2025-07-07: | 2.4.x revision 1927045 |
Credits
Robert Merget (Technology Innovation Institute)
Nurullah Erinola (Ruhr University Bochum)
Marcel Maehren (Ruhr University Bochum)
Lukas Knittel (Ruhr University Bochum)
Sven Hebrok (Paderborn University)
Marcus Brinkmann (Ruhr University Bochum)
Juraj Somorovsky (Paderborn University)
Jörg Schwenk (Ruhr University Bochum)
References
lists.debian.org/debian-lts-announce/2025/08/msg00009.html
www.openwall.com/lists/oss-security/2025/07/09/3
www.openwall.com/lists/oss-security/2025/07/10/2
www.openwall.com/lists/oss-security/2025/07/10/9
httpd.apache.org/security/vulnerabilities_24.html