CVE-2025-49630
📋 TL;DR
This vulnerability allows untrusted clients to trigger a denial of service attack against Apache HTTP Server by causing an assertion failure in the mod_proxy_http2 module. It affects Apache HTTP Server versions 2.4.26 through 2.4.63 configured as reverse proxies with HTTP/2 backends and ProxyPreserveHost set to 'on'. Organizations using affected proxy configurations are at risk of service disruption.
💻 Affected Systems
- Apache HTTP Server
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete service outage of the Apache HTTP Server instance, making reverse proxy services unavailable to legitimate users.
Likely Case
Service disruption causing intermittent downtime or degraded performance of proxied applications.
If Mitigated
Minimal impact with proper network segmentation and monitoring to detect and block attack attempts.
🎯 Exploit Status
Attack requires sending specially crafted requests to trigger the assertion failure
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.4.64 or later
Vendor Advisory: https://httpd.apache.org/security/vulnerabilities_24.html
Restart Required: Yes
Instructions:
1. Download Apache HTTP Server 2.4.64 or later from the official Apache website. 2. Backup current configuration files. 3. Install the updated version following your operating system's package management procedures. 4. Restart the Apache service to apply the fix.
🔧 Temporary Workarounds
Disable ProxyPreserveHost
allSet ProxyPreserveHost to 'off' in vulnerable proxy configurations
Edit Apache configuration file and set: ProxyPreserveHost off
Then restart Apache: sudo systemctl restart apache2
Disable HTTP/2 for backend connections
allConfigure proxy to use HTTP/1.1 instead of HTTP/2 for backend connections
Edit proxy configuration to use: ProxyPass / http://backend.example.com/ connectiontimeout=5 timeout=30
Then restart Apache: sudo systemctl restart apache2
🧯 If You Can't Patch
- Implement network-level controls to restrict access to proxy endpoints
- Deploy WAF rules to detect and block suspicious proxy requests
🔍 How to Verify
Check if Vulnerable:
Check Apache version with 'httpd -v' and review configuration for ProxyPreserveHost on with HTTP/2 backendCheck Version:
httpd -vVerify Fix Applied:
Verify Apache version is 2.4.64 or higher with 'httpd -v'📡 Detection & Monitoring
Log Indicators:
- Apache assertion failures in error logs
- Unexpected child process terminations
- Increased 500 error responses from proxy
Network Indicators:
- Unusual spike in requests to proxy endpoints
- Pattern of requests causing service restarts
SIEM Query:
source="apache_error.log" AND ("assertion" OR "mod_proxy_http2" OR "child pid.*exit")