7.5

CVE-2025-3891

Mod_auth_openidc: dos via empty post in mod_auth_openidc with oidcpreservepost enabled

A flaw was found in the mod_auth_openidc module for Apache httpd. This flaw allows a remote, unauthenticated attacker to trigger a denial of service by sending an empty POST request when the OIDCPreservePost directive is enabled. The server crashes consistently, affecting availability.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
ApacheHTTP Server Version-
RedhatEnterprise Linux Version7.0
RedhatEnterprise Linux Version8.0 SwEdition-
RedhatEnterprise Linux Version9.0
DebianDebian Linux Version11.0
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 1.21% 0.647
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 7.5 3.9 3.6
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
secalert@redhat.com 7.5 3.9 3.6
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE-248 Uncaught Exception

An exception is thrown from a function, but it is not caught.

https://access.redhat.com/security/cve/CVE-2025-3891
Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=2361633
Issue Tracking
https://access.redhat.com/errata/RHSA-2025:4597
Third Party Advisory
https://lists.debian.org/debian-lts-announce/2025/05/msg00007.html
Third Party Advisory
Mailing List
https://access.redhat.com/errata/RHSA-2025:9396
https://access.redhat.com/errata/RHSA-2025:10002
https://access.redhat.com/errata/RHSA-2025:10003
https://access.redhat.com/errata/RHSA-2025:10004
https://access.redhat.com/errata/RHSA-2025:10006
https://access.redhat.com/errata/RHSA-2025:10007
https://access.redhat.com/errata/RHSA-2025:10008
https://access.redhat.com/errata/RHSA-2025:10010
https://github.com/OpenIDC/mod_auth_openidc/commit/6a0b5f66c87184dfe0e4400f6bdd46a82dc0ec2b
https://github.com/OpenIDC/mod_auth_openidc/security/advisories/GHSA-x7cf-8wgv-5j86