CVE-2025-3891

HIGH EPSS 64.4%

Published Apr 29, 20251y ago · Modified Jun 17, 20261w ago

7.5 CVSS 3.1

High

Published Apr 29, 2025 1y ago

Last Modified Jun 17, 2026 1w ago

Description

A flaw was found in the mod_auth_openidc module for Apache httpd. This flaw allows a remote, unauthenticated attacker to trigger a denial of service by sending an empty POST request when the OIDCPreservePost directive is enabled. The server crashes consistently, affecting availability.

CVSS Details

Base Score

7.5

Exploitability

3.9

Impact

3.6

Vector string

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Attack Vector Network

Attack Complexity Low

Privileges Required None

User Interaction None

Scope Unchanged

Confidentiality None

Integrity None

Availability High

Threat Intelligence

EPSS Exploit Probability

64.4% percentile

Exploit & Patch Status

No Known Exploit

No Patch Available

Weaknesses 1

CWE-248

Affected Products 5

Vendor	Product	Version	Range
apache	http_server	*	any
redhat	enterprise_linux	7.0	any
redhat	enterprise_linux	8.0	any
redhat	enterprise_linux	9.0	any
debian	debian_linux	11.0	any

References 14

access.redhat.com https://access.redhat.com/errata/RHSA-2025:10002
access.redhat.com https://access.redhat.com/errata/RHSA-2025:10003
access.redhat.com https://access.redhat.com/errata/RHSA-2025:10004
access.redhat.com https://access.redhat.com/errata/RHSA-2025:10006
access.redhat.com https://access.redhat.com/errata/RHSA-2025:10007
access.redhat.com https://access.redhat.com/errata/RHSA-2025:10008
access.redhat.com https://access.redhat.com/errata/RHSA-2025:10010
access.redhat.com https://access.redhat.com/errata/RHSA-2025:4597

Third Party Advisory
access.redhat.com https://access.redhat.com/errata/RHSA-2025:9396
access.redhat.com https://access.redhat.com/security/cve/CVE-2025-3891

Third Party Advisory
bugzilla.redhat.com https://bugzilla.redhat.com/show_bug.cgi?id=2361633

Issue Tracking
github.com https://github.com/OpenIDC/mod_auth_openidc/commit/6a0b5f66c87184dfe0e4400f6bdd46a82dc0ec2b
github.com https://github.com/OpenIDC/mod_auth_openidc/security/advisories/GHSA-x7cf-8wgv-5j86
lists.debian.org https://lists.debian.org/debian-lts-announce/2025/05/msg00007.html

Mailing ListThird Party Advisory

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.