CVE-2023-28625 – CVE-2023-28625 is a NULL pointer dereference vu... (How to Fix)

Q: What is the severity of CVE-2023-28625?

CVE-2023-28625 has a CVSS score of 7.5 (HIGH). CVE-2023-28625 is a NULL pointer dereference vulnerability in mod_auth_openidc for Apache HTTP Server when OIDCStripCookies is enabled. Attackers can send crafted cookies to trigger segmentation faults, causing denial-of-service and disrupting web server availability. Organizations using mod_auth_openidc versions 2.0.0 through 2.4.13.1 with OIDCStripCookies enabled are affected.

📋 TL;DR

CVE-2023-28625 is a NULL pointer dereference vulnerability in mod_auth_openidc for Apache HTTP Server when OIDCStripCookies is enabled. Attackers can send crafted cookies to trigger segmentation faults, causing denial-of-service and disrupting web server availability. Organizations using mod_auth_openidc versions 2.0.0 through 2.4.13.1 with OIDCStripCookies enabled are affected.

💻 Affected Systems

Products:

mod_auth_openidc

Versions: 2.0.0 through 2.4.13.1

Operating Systems: Linux, Unix, Windows (if Apache is installed)

Default Config Vulnerable: ✅ No

Notes: Only vulnerable when OIDCStripCookies directive is explicitly enabled in configuration. Default installations without this setting are not vulnerable.

📦 What is this software?

Mod Auth Openidc by Openidc

View all CVEs affecting Mod Auth Openidc →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete web server crash leading to sustained denial-of-service, requiring manual restart and causing extended service disruption.

🟠

Likely Case

Apache worker process crashes resulting in temporary service interruption, degraded performance, and potential service unavailability until processes restart.

🟢

If Mitigated

Minimal impact with proper monitoring and automatic process recovery, though some request failures may occur during crashes.

🌐 Internet-Facing: HIGH - Web servers are directly accessible and attackers can easily send crafted cookies without authentication.

🏢 Internal Only: MEDIUM - Internal attackers or compromised internal systems could exploit this, but requires network access to the web server.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires sending HTTP requests with crafted cookies, which is trivial for attackers with network access to the web server.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.4.13.2

Vendor Advisory: https://github.com/OpenIDC/mod_auth_openidc/security/advisories/GHSA-f5xw-rvfr-24qr

Restart Required: Yes

Instructions:

1. Backup current configuration. 2. Download mod_auth_openidc v2.4.13.2 from GitHub releases. 3. Compile and install the new version. 4. Restart Apache HTTP Server to load the patched module.

🔧 Temporary Workarounds

Disable OIDCStripCookies

linux

Remove or comment out OIDCStripCookies directive from Apache configuration to prevent exploitation.

# Edit Apache configuration file
# Find and comment: #OIDCStripCookies On
# Or remove the line entirely
# Restart Apache: sudo systemctl restart apache2

🧯 If You Can't Patch

Disable OIDCStripCookies directive in Apache configuration immediately
Implement web application firewall (WAF) rules to block requests with suspicious cookie patterns

🔍 How to Verify

Check if Vulnerable:

Check Apache configuration for OIDCStripCookies directive and verify mod_auth_openidc version with: apache2ctl -M | grep auth_openidc and check module version in configuration or via package manager.

Check Version:

grep -i 'mod_auth_openidc' /etc/apache2/mods-enabled/*.conf or check package version: dpkg -l | grep mod-auth-openidc (Debian/Ubuntu) or rpm -qa | grep mod_auth_openidc (RHEL/CentOS)

Verify Fix Applied:

Confirm mod_auth_openidc version is 2.4.13.2 or later and test with crafted cookie requests to ensure no segmentation faults occur.

📡 Detection & Monitoring

Log Indicators:

Segmentation fault errors in Apache error logs
Apache worker process crashes
Multiple 'core dumped' messages
Unusual cookie patterns in access logs

Network Indicators:

HTTP requests with unusually long or malformed cookies
Sudden increase in 500 Internal Server Error responses

SIEM Query:

source="apache_error.log" AND ("segmentation fault" OR "core dumped" OR "SIGSEGV")

📊 Metadata

CVE ID: CVE-2023-28625

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-476

Published: April 3, 2023

Last Updated: April 10, 2025

🔗 References

https://github.com/OpenIDC/mod_auth_openidc/blame/3f11976dab56af0a46a7dddb7a275cc16d6eb726/src/mod_auth_openidc.c#L178-L179 Third Party Advisory
https://github.com/OpenIDC/mod_auth_openidc/commit/c0e1edac3c4c19988ccdc7713d7aebfce6ff916a Patch
https://github.com/OpenIDC/mod_auth_openidc/releases/tag/v2.4.13.2 Release Notes
https://github.com/OpenIDC/mod_auth_openidc/security/advisories/GHSA-f5xw-rvfr-24qr Third Party Advisory
https://lists.debian.org/debian-lts-announce/2023/04/msg00034.html Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WIBKFC22PDH6UXMSZ23PHTD7736ZC7BB/ Release Notes
https://www.debian.org/security/2023/dsa-5405 Third Party Advisory
https://github.com/OpenIDC/mod_auth_openidc/blame/3f11976dab56af0a46a7dddb7a275cc16d6eb726/src/mod_auth_openidc.c#L178-L179 Third Party Advisory
https://github.com/OpenIDC/mod_auth_openidc/commit/c0e1edac3c4c19988ccdc7713d7aebfce6ff916a Patch
https://github.com/OpenIDC/mod_auth_openidc/releases/tag/v2.4.13.2 Release Notes
https://github.com/OpenIDC/mod_auth_openidc/security/advisories/GHSA-f5xw-rvfr-24qr Third Party Advisory
https://lists.debian.org/debian-lts-announce/2023/04/msg00034.html Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WIBKFC22PDH6UXMSZ23PHTD7736ZC7BB/ Release Notes
https://www.debian.org/security/2023/dsa-5405 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-28625, you might also want to check these: