CVE-2025-54090

MEDIUM

Apache HTTP Server <2.4.64 - Info Disclosure

Title source: llm

Description

A bug in Apache HTTP Server 2.4.64 results in all "RewriteCond expr ..." tests evaluating as "true". Users are recommended to upgrade to version 2.4.65, which fixes the issue.

References (4)

Core 4

Core References

Mailing List

https://lists.debian.org/debian-lts-announce/2025/08/msg00009.html

Release Notes vendor-advisory

https://httpd.apache.org/security/vulnerabilities_24.html

Issue Tracking, Patch

https://news.ycombinator.com/item?id=44666896

Mailing List

http://www.openwall.com/lists/oss-security/2025/07/24/2

Scores

CVSS v3 6.3

EPSS 0.0092

EPSS Percentile 76.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-253

Status published

Products (1)

apache/http_server 2.4.64

Published Jul 23, 2025

Tracked Since Feb 18, 2026