What is CVE-2023-25690?

CVE-2023-25690 is a vulnerability found in httpd, specifically in mod_proxy configurations on Apache HTTP Server versions 2.4.0 through 2.4.55.

How severe is CVE-2023-25690?

CVE-2023-25690 has a severity rating of critical (9 out of 10).

Which software versions are affected by CVE-2023-25690?

CVE-2023-25690 affects Apache HTTP Server versions 2.4.0 through 2.4.55, jbcs-httpd24-httpd versions 2.4.51-39.el8 and 2.4.51-39.el7, httpd version 2.4.6-98.el7_9.7, and httpd versions 2.4.53-7.el9_1.5 and 2.4.51-7.el9_0.4.

How can I fix CVE-2023-25690?

To fix CVE-2023-25690, it is recommended to update to the latest patched versions of the affected software mentioned in the advisory.

Where can I find more information about CVE-2023-25690?

More information about CVE-2023-25690 can be found on the official CVE website, NIST NVD, Apache HTTP Server security vulnerabilities page, and the Red Hat Bugzilla and Errata pages.

Vulnerability/
CVE-2023-25690

critical

9.8

CWE

444 113

7/3/2023

13/2/2025

CVE-2023-25690: Apache HTTP Server: HTTP request splitting with mod_rewrite and mod_proxy

First published: Tue Mar 07 2023(Updated: )

A vulnerability was found in httpd. This security issue occurs when some mod_proxy configurations on Apache HTTP Server allow an HTTP Request Smuggling attack. Configurations are affected when mod_proxy is enabled along with some form of RewriteRule or ProxyPassMatch in which a non-specific pattern matches some portion of the user-supplied request-target (URL) data and is then re-inserted into the proxied request-target using variable substitution.

Credit: security@apache.org

Affected Software	Affected Version	How to fix
redhat/jbcs-httpd24-httpd	<0:2.4.51-39.el8	0:2.4.51-39.el8
redhat/jbcs-httpd24-httpd	<0:2.4.51-39.el7	0:2.4.51-39.el7
redhat/httpd	<0:2.4.6-98.el7_9.7	0:2.4.6-98.el7_9.7
redhat/httpd	<0:2.4.53-7.el9_1.5	0:2.4.53-7.el9_1.5
redhat/httpd	<0:2.4.51-7.el9_0.4	0:2.4.51-7.el9_0.4
redhat/httpd24-httpd	<0:2.4.34-23.el7.6	0:2.4.34-23.el7.6
redhat/httpd	<2.4.56	2.4.56
Apache Http Server	>=2.4.0<=2.4.55
Apache HTTP Server	>=2.4.0<=2.4.55

Never miss a vulnerability like this again

Reference Links

Parent vulnerabilities

(Appears in the following advisories)

Frequently Asked Questions

What is CVE-2023-25690?
CVE-2023-25690 is a vulnerability found in httpd, specifically in mod_proxy configurations on Apache HTTP Server versions 2.4.0 through 2.4.55.
How severe is CVE-2023-25690?
CVE-2023-25690 has a severity rating of critical (9 out of 10).
Which software versions are affected by CVE-2023-25690?
CVE-2023-25690 affects Apache HTTP Server versions 2.4.0 through 2.4.55, jbcs-httpd24-httpd versions 2.4.51-39.el8 and 2.4.51-39.el7, httpd version 2.4.6-98.el7_9.7, and httpd versions 2.4.53-7.el9_1.5 and 2.4.51-7.el9_0.4.
How can I fix CVE-2023-25690?
To fix CVE-2023-25690, it is recommended to update to the latest patched versions of the affected software mentioned in the advisory.
Where can I find more information about CVE-2023-25690?
More information about CVE-2023-25690 can be found on the official CVE website, NIST NVD, Apache HTTP Server security vulnerabilities page, and the Red Hat Bugzilla and Errata pages.

collector/redhat-cve
agent/type
agent/first-publish-date
agent/author
agent/references
agent/severity
agent/title
agent/weakness
agent/description
collector/redhat-bugzilla
source/Red Hat
alias/CVE-2023-25690
agent/software-canonical-lookup
collector/mitre-cve
source/MITRE
agent/last-modified-date
agent/event
agent/trending
collector/nvd-api
source/NVD
agent/software-canonical-lookup-request
collector/nvd-index
agent/softwarecombine
agent/tags
agent/source
package-manager/redhat
vendor/apache
canonical/apache http server
version/apache http server/2.4.0
version/apache http server/2.4.55