Home

Description

A bug in Apache HTTP Server 2.4.64 results in all "RewriteCond expr ..." tests evaluating as "true". Users are recommended to upgrade to version 2.4.65, which fixes the issue.

PUBLISHED Reserved 2025-07-16 | Published 2025-07-23 | Updated 2025-11-04 | Assigner apache

Problem types

CWE-253 Incorrect Check of Function Return Value

Product status

Default status
unaffected

2.4.64 (semver)
affected

Timeline

2025-07-16:reported
2025-07-23:fixed in 2.4.x by r1927361

References

news.ycombinator.com/item?id=44666896

lists.debian.org/debian-lts-announce/2025/08/msg00009.html

www.openwall.com/lists/oss-security/2025/07/24/2

httpd.apache.org/security/vulnerabilities_24.html vendor-advisory

cve.org (CVE-2025-54090)

nvd.nist.gov (CVE-2025-54090)

Download JSON