CVE-2025-3891

Summary

A flaw was found in the mod_auth_openidc module for Apache httpd. This flaw allows a remote, unauthenticated attacker to trigger a denial of service by sending an empty POST request when the OIDCPreservePost directive is enabled. The server crashes consistently, affecting availability.

Affected Software

VendorProductVersion RangeStatus
2.0.0 < 2.4.13.1affected
Red HatRed Hat Enterprise Linux 88100020250426100353.489197e6 < *unaffected
Red HatRed Hat Enterprise Linux 8.2 Advanced Update Support8020020250612174445.4cda2c84 < *unaffected
Red HatRed Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support8040020250618101351.522a0ee4 < *unaffected
Red HatRed Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support8060020250617090503.ad008a3a < *unaffected
Red HatRed Hat Enterprise Linux 8.6 Telecommunications Update Service8060020250617090503.ad008a3a < *unaffected
Red HatRed Hat Enterprise Linux 8.6 Update Services for SAP Solutions8060020250617090503.ad008a3a < *unaffected
Red HatRed Hat Enterprise Linux 8.8 Telecommunications Update Service8080020250617090716.63b34585 < *unaffected
Red HatRed Hat Enterprise Linux 8.8 Update Services for SAP Solutions8080020250617090716.63b34585 < *unaffected
Red HatRed Hat Enterprise Linux 90:2.4.10-1.el9_6.2 < *unaffected
Red HatRed Hat Enterprise Linux 9.0 Update Services for SAP Solutions0:2.4.9.4-1.el9_0.3 < *unaffected
Red HatRed Hat Enterprise Linux 9.2 Update Services for SAP Solutions0:2.4.9.4-1.el9_2.3 < *unaffected
Red HatRed Hat Enterprise Linux 9.4 Extended Update Support0:2.4.9.4-4.el9_4.2 < *unaffected

Weaknesses

  • CWE-248: Uncaught Exception

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: partial

CVE Program Container

Additional References

References