CVE-2023-25690

CRITICAL EXPLOITED IN THE WILD LAB

Apache HTTP Server 2.4.0-2.4.55 - HTTP Request Smuggling via mod_proxy RewriteRule

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2023-25690 has been observed exploited in the wild (reported by VulnCheck KEV, InTheWild.io). EIP tracks 5 public exploits from researchers including dhmosfunk, thanhlam-attt, arnavps.

AI-analyzed exploit summary This repository provides a detailed technical analysis of CVE-2023-25690, an HTTP Request Smuggling vulnerability in Apache HTTP Server versions 2.4.0 through 2.4.55. It includes a lab setup with Docker for reproducing the vulnerability, explains the root cause (CRLF injection via mod_proxy and RewriteRule), and demonstrates how an attacker can smuggle requests to bypass access controls.

Description

Some mod_proxy configurations on Apache HTTP Server versions 2.4.0 through 2.4.55 allow a HTTP Request Smuggling attack. Configurations are affected when mod_proxy is enabled along with some form of RewriteRule or ProxyPassMatch in which a non-specific pattern matches some portion of the user-supplied request-target (URL) data and is then re-inserted into the proxied request-target using variable substitution. For example, something like: RewriteEngine on RewriteRule "^/here/(.*)" "http://example.com:8080/elsewhere?$1"; [P] ProxyPassReverse /here/ http://example.com:8080/ Request splitting/smuggling could result in bypass of access controls in the proxy server, proxying unintended URLs to existing origin servers, and cache poisoning. Users are recommended to update to at least version 2.4.56 of Apache HTTP Server.

Exploits (5)

nomisec WRITEUP 283 stars
by dhmosfunk · remote
https://github.com/dhmosfunk/CVE-2023-25690-POC

This repository provides a detailed technical analysis of CVE-2023-25690, an HTTP Request Smuggling vulnerability in Apache HTTP Server versions 2.4.0 through 2.4.55. It includes a lab setup with Docker for reproducing the vulnerability, explains the root cause (CRLF injection via mod_proxy and RewriteRule), and demonstrates how an attacker can smuggle requests to bypass access controls.

Classification
Writeup 95%
Attack Type
Other
Complexity
Moderate
Reliability
Reliable
Target: Apache HTTP Server 2.4.0-2.4.55
No auth needed
Prerequisites: Apache HTTP Server with mod_proxy and RewriteRule configured · Access to a vulnerable endpoint
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC 4 stars
by thanhlam-attt · infoleak
https://github.com/thanhlam-attt/CVE-2023-25690

This repository contains a functional exploit for CVE-2023-25690, demonstrating HTTP Request Smuggling in Apache HTTP Server via crafted requests. The PoC includes a Python script that constructs and sends a malicious request to bypass proxy restrictions and access hidden endpoints.

Classification
Working Poc 95%
Attack Type
Auth Bypass
Complexity
Moderate
Reliability
Reliable
Target: Apache HTTP Server 2.4.0 to 2.4.55 with mod_proxy enabled
No auth needed
Prerequisites: Apache HTTP Server with mod_proxy enabled · Specific RewriteRule or ProxyPassMatch configurations · Network access to the target server
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WRITEUP 1 stars
by arnavps · poc
https://github.com/arnavps/CTF-Web-Exploitation

This repository contains a detailed technical analysis and proof-of-concept for CVE-2023-25690, focusing on HTTP request smuggling over UDP/QUIC. It includes a Flask-based vulnerable application, a UDP proxy, and a comprehensive writeup explaining the root cause, exploitation steps, and mitigation strategies.

Classification
Writeup 95%
Attack Type
Other
Complexity
Moderate
Reliability
Reliable
Target: Custom UDP/QUIC proxy and Flask application
No auth needed
Prerequisites: Network access to the target UDP port · Ability to send crafted HTTP requests over UDP
devstral-2 · analyzed Apr 10, 2026 Full analysis →
nomisec WRITEUP 1 stars
by oOCyginXOo · infoleak
https://github.com/oOCyginXOo/CVE-2023-25690-POC

This repository provides a detailed technical analysis of CVE-2023-25690, an HTTP Request Smuggling vulnerability in Apache HTTP Server versions 2.4.0 through 2.4.55. It includes a lab setup with Docker to demonstrate the vulnerability, focusing on CRLF injection and internal HTTP Request Smuggling via header injection.

Classification
Writeup 95%
Attack Type
Other
Complexity
Moderate
Reliability
Reliable
Target: Apache HTTP Server 2.4.0-2.4.55
No auth needed
Prerequisites: Apache HTTP Server with mod_proxy and mod_rewrite enabled · Specific RewriteRule or ProxyPassMatch configuration
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WRITEUP 1 stars
by tbachvarova · poc
https://github.com/tbachvarova/linux-apache-fix-mod_rewrite-spaceInURL

This repository provides a technical writeup on mitigating the impact of CVE-2023-25690, an Apache mod_rewrite issue causing 403 errors for URLs with spaces encoded as %20. It includes a configuration fix using specific RewriteRule flags.

Classification
Writeup 90%
Attack Type
Other
Complexity
Trivial
Reliability
Reliable
Target: Apache HTTP Server 2.4.38-3+deb10u10
No auth needed
Prerequisites: Apache HTTP Server with mod_rewrite enabled · URLs containing spaces encoded as %20
devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (4)

Core 4

Scores

CVSS v3 9.8
EPSS 0.8377
EPSS Percentile 99.7%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation poc
Automatable yes
Technical Impact total

Lab Environment

COMMUNITY
Community Lab
docker pull httpd:2.4.55
docker pull ghcr.io/puppeteer/puppeteer:latest
+2 more repos

Details

VulnCheck KEV 2024-07-25
InTheWild.io 2024-09-18
CWE
CWE-444
Status published
Products (1)
apache/http_server 2.4.0 - 2.4.55
Published Mar 07, 2023
Tracked Since Feb 18, 2026