Apache HTTP Server
Moderate fix1 remedy
cpe:2.3:a:apache:http_server:*:*:*:*:*:*:*
Moderate fix1 remedy
- >= 2.4.26, <= 2.4.63
Apache HTTP Server mod_proxy_http2 Denial-of-Service Vulnerability
Vulnerability
Patched
A denial-of-service vulnerability has been identified in Apache HTTP Server versions 2.4.26 prior to 2.4.63. This issue arises in certain proxy configurations where a reverse proxy is set up for an HTTP/2 backend, and the ProxyPreserveHost directive is enabled. In this scenario, untrusted clients can trigger an assertion failure in the mod_proxy_http2 module, causing the server to crash.
Impact
Exploitation of this vulnerability leads to a crash of the Apache HTTP Server process, causing a denial-of-service condition.
Reproduction
To reproduce this vulnerability, configure Apache HTTP Server as a reverse proxy for an HTTP/2 backend. Ensure that the ProxyPreserveHost directive is set to 'on'. Then, send a request from an untrusted client that triggers the assertion failure in the mod_proxy_http2 module. This can be done by crafting a request that exploits the proxying behavior under the specified conditions.
Remediation
Users are advised to upgrade to Apache HTTP Server version 2.4.64 or later, which addresses this vulnerability.
Added: Jul 10, 2025, 5:24 PM
Updated: Jul 10, 2025, 5:24 PM
Vulnerability Rating
Custom Algorithm
spread
9.4impact
2.5exploitability
7.9remediation
7.7relevance
0.3threat
1.7urgency
2.9incentive
5.8Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.