2374580 – (CVE-2025-49812) CVE-2025-49812 httpd: HTTP Session Hijack via a TLS upgrade

Bug 2374580 (CVE-2025-49812) - CVE-2025-49812 httpd: HTTP Session Hijack via a TLS upgrade

Summary: CVE-2025-49812 httpd: HTTP Session Hijack via a TLS upgrade

Keywords:
Status:	NEW
Alias:	CVE-2025-49812
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2025-06-24 13:49 UTC by OSIDB Bzimport
Modified:	2025-07-15 06:06 UTC (History)
CC List:	6 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2025-06-24 13:49:50 UTC

In some mod_ssl configurations on Apache HTTP Server versions through to 2.4.63, an HTTP desynchronisation attack allows a man-in-the-middle attacker to hijack an HTTP session via a TLS upgrade. Only configurations using \"SSLEngine optional\" to enable TLS upgrades are affected. Upstream recommends users to upgrade to version 2.4.64,
which removes support for TLS upgrade.

Note You need to log in before you can comment on or make changes to this bug.