CVE-2025-49812 | HackTesting

In some mod_ssl configurations on Apache HTTP Server versions through to 2.4.63, an HTTP desynchronisation attack allows a man-in-the-middle attacker to hijack an HTTP session via a TLS upgrade. Only configurations using "SSLEngine optional" to enable TLS upgrades are affected. Users are recommended to upgrade to version 2.4.64, which removes support for TLS upgrade.

Credits

Robert Merget (Technology Innovation Institute)

Nurullah Erinola (Ruhr University Bochum)

Marcel Maehren (Ruhr University Bochum)

Lukas Knittel (Ruhr University Bochum)

Sven Hebrok (Paderborn University)

Marcus Brinkmann (Ruhr University Bochum)

Juraj Somorovsky (Paderborn University)

Jörg Schwenk (Ruhr University Bochum)

References

httpd.apache.org/security/vulnerabilities_24.html