An unauthenticated attacker can crash the Apache httpd process by sending an empty POST request when OIDCPreservePost is enabled in mod_auth_openidc. This leads to denial of service.
Hi Can you share details about this CVE assiignment? According to the Debian maintainer and upstream of the project they were not informed about this issue and as well cannot reproduce crashes, cf. https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1104484#10 Can you please elaborate? Regards, Salvatore
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2025:4597 https://access.redhat.com/errata/RHSA-2025:4597
Note this is not an issue with upstream mod_auth_openidc 2.4.13.2+ where the issue has already been addressed by https://github.com/OpenIDC/mod_auth_openidc/commit/29ea79dea97cdab1b0d150af2c9a50a442e7216e.
Upstream here: thanks for the details on this CVE. Apparently it is not an empty POST request that causes the crash but rather a missing Content-Type header, as the link to the patch commit also shows. Affected versions are >= 2.0.0 and <= 2.4.13.1, see the newly created advisory on Github - based on this issue - here: https://github.com/OpenIDC/mod_auth_openidc/security/advisories/GHSA-x7cf-8wgv-5j86
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2025:9396 https://access.redhat.com/errata/RHSA-2025:9396