CVE-2025-54090 – A bug in Apache HTTP Server 2.4.64 causes all R... (How to Fix)

Q: What is the severity of CVE-2025-54090?

CVE-2025-54090 has a CVSS score of 6.3 (MEDIUM). A bug in Apache HTTP Server 2.4.64 causes all RewriteCond expression tests to evaluate as true, potentially allowing attackers to bypass URL rewrite rules and access restricted content. This affects all systems running Apache HTTP Server 2.4.64 with mod_rewrite enabled. The vulnerability could lead to unintended URL redirection or access control bypass.

📋 TL;DR

A bug in Apache HTTP Server 2.4.64 causes all RewriteCond expression tests to evaluate as true, potentially allowing attackers to bypass URL rewrite rules and access restricted content. This affects all systems running Apache HTTP Server 2.4.64 with mod_rewrite enabled. The vulnerability could lead to unintended URL redirection or access control bypass.

💻 Affected Systems

Products:

Apache HTTP Server

Versions: 2.4.64 only

Operating Systems: All operating systems running Apache HTTP Server

Default Config Vulnerable: ✅ No

Notes: Only vulnerable if mod_rewrite is enabled and RewriteCond expressions are used in configuration. Default Apache installations may not be affected unless custom rewrite rules are configured.

📦 What is this software?

Http Server by Apache

View all CVEs affecting Http Server →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could bypass authentication, access control, or security filters by manipulating URL rewrite conditions to access restricted directories, sensitive files, or administrative interfaces.

🟠

Likely Case

Attackers bypass URL-based security restrictions to access content that should be blocked, potentially exposing sensitive information or enabling further attacks.

🟢

If Mitigated

With proper network segmentation and additional authentication layers, impact is limited to potential information disclosure from misconfigured rewrite rules.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires knowledge of existing rewrite rules and crafting requests that trigger the bug. No public exploit code has been identified.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.4.65

Vendor Advisory: https://httpd.apache.org/security/vulnerabilities_24.html

Restart Required: Yes

Instructions:

1. Download Apache HTTP Server 2.4.65 from official Apache mirrors. 2. Stop Apache service. 3. Backup current configuration. 4. Install new version. 5. Restart Apache service.

🔧 Temporary Workarounds

Disable mod_rewrite

all

Temporarily disable the mod_rewrite module to prevent exploitation

# Comment out LoadModule rewrite_module modules/mod_rewrite.so in httpd.conf
# Or run: a2dismod rewrite && systemctl restart apache2

Remove RewriteCond expressions

all

Temporarily remove or comment out all RewriteCond directives in configuration files

# Comment out lines starting with RewriteCond in .htaccess and httpd.conf files

🧯 If You Can't Patch

Implement web application firewall (WAF) rules to block suspicious URL patterns that might exploit rewrite bypass
Add additional authentication/authorization layers for sensitive directories that rely on rewrite rules for protection

🔍 How to Verify

Check if Vulnerable:

Check Apache version with 'httpd -v' or 'apache2 -v'. If version is 2.4.64 and mod_rewrite is enabled with RewriteCond rules, system is vulnerable.

Check Version:

httpd -v 2>/dev/null || apache2 -v 2>/dev/null || apachectl -v 2>/dev/null

Verify Fix Applied:

After upgrade, verify version is 2.4.65 with 'httpd -v' and test that RewriteCond expressions work correctly by creating test rewrite rules.

📡 Detection & Monitoring

Log Indicators:

Unusual access to URLs that should be blocked by rewrite rules
Patterns of requests that trigger rewrite conditions but access restricted content

Network Indicators:

HTTP requests that bypass expected URL patterns
Access to paths that should be redirected or blocked

SIEM Query:

source="apache_access" AND (url="*" AND NOT url="expected_pattern*") | stats count by src_ip, url

📊 Metadata

CVE ID: CVE-2025-54090

CVSS v3 Score: 6.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

CWE: CWE-253

EPSS Score: 0.22% exploit probability (44.7th percentile)

Published: July 23, 2025

Last Updated: November 4, 2025

🔗 References

https://httpd.apache.org/security/vulnerabilities_24.html Release Notes
http://www.openwall.com/lists/oss-security/2025/07/24/2
https://lists.debian.org/debian-lts-announce/2025/08/msg00009.html
https://news.ycombinator.com/item?id=44666896 Issue Tracking,Patch

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-54090, you might also want to check these: