CVE-2025-3891 - Vulnerability Details

A flaw was found in the mod_auth_openidc module for Apache httpd. This flaw allows a remote, unauthenticated attacker to trigger a denial of service by sending an empty POST request when the OIDCPreservePost directive is enabled. The server crashes consistently, affecting availability.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable yes

Technical Impact partial

Vendors	Products
Apache	Http Server
Debian	Debian Linux
Redhat	Enterprise Linux Rhel Aus Rhel E4s Rhel Eus Rhel Tus

Configuration 1 [-]

cpe:2.3:a:apache:http_server:-:*:*:*:*:*:*:*

Configuration 2 [-]

OR	cpe:2.3:o:redhat:enterprise_linux:7.0:::::::*
	cpe:2.3:o:redhat:enterprise_linux:8.0::::-:::
	cpe:2.3:o:redhat:enterprise_linux:9.0:::::::*

Configuration 3 [-]

cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*

Package	CPE	Advisory	Released Date
Red Hat Enterprise Linux 8
mod_auth_openidc:2.3-8100020250426100353.489197e6	cpe:/a:redhat:enterprise_linux:8	RHSA-2025:4597	2025-05-06T00:00:00Z
Red Hat Enterprise Linux 9
mod_auth_openidc-0:2.4.10-1.el9_6.2	cpe:/a:redhat:enterprise_linux:9	RHSA-2025:9396	2025-06-23T00:00:00Z

References

Link	Providers
https://access.redhat.com/errata/RHSA-2025:10002
https://access.redhat.com/errata/RHSA-2025:10003
https://access.redhat.com/errata/RHSA-2025:10004
https://access.redhat.com/errata/RHSA-2025:10006
https://access.redhat.com/errata/RHSA-2025:10007
https://access.redhat.com/errata/RHSA-2025:10008
https://access.redhat.com/errata/RHSA-2025:10010
https://access.redhat.com/errata/RHSA-2025:4597
https://access.redhat.com/errata/RHSA-2025:9396
https://access.redhat.com/security/cve/CVE-2025-3891
https://bugzilla.redhat.com/show_bug.cgi?id=2361633
https://lists.debian.org/debian-lts-announce/2025/05/msg00007.html
https://nvd.nist.gov/vuln/detail/CVE-2025-3891
https://www.cve.org/CVERecord?id=CVE-2025-3891

History

Tue, 01 Jul 2025 02:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Redhat rhel Aus Redhat rhel E4s Redhat rhel Eus Redhat rhel Tus
CPEs		cpe:/a:redhat:rhel_aus:8.2::appstream cpe:/a:redhat:rhel_aus:8.4::appstream cpe:/a:redhat:rhel_aus:8.6::appstream cpe:/a:redhat:rhel_e4s:8.6::appstream cpe:/a:redhat:rhel_e4s:8.8::appstream cpe:/a:redhat:rhel_e4s:9.0::appstream cpe:/a:redhat:rhel_e4s:9.2::appstream cpe:/a:redhat:rhel_eus:9.4::appstream cpe:/a:redhat:rhel_tus:8.6::appstream cpe:/a:redhat:rhel_tus:8.8::appstream
Vendors & Products		Redhat rhel Aus Redhat rhel E4s Redhat rhel Eus Redhat rhel Tus
References		https://access.redhat.com/errata/RHSA-2025:10002 https://access.redhat.com/errata/RHSA-2025:10003 https://access.redhat.com/errata/RHSA-2025:10004 https://access.redhat.com/errata/RHSA-2025:10006 https://access.redhat.com/errata/RHSA-2025:10007 https://access.redhat.com/errata/RHSA-2025:10008 https://access.redhat.com/errata/RHSA-2025:10010

Tue, 24 Jun 2025 02:30:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:/a:redhat:enterprise_linux:9

Mon, 23 Jun 2025 18:45:00 +0000

Type	Values Removed	Values Added
CPEs	~~cpe:/o:redhat:enterprise_linux:9~~	cpe:/a:redhat:enterprise_linux:9::appstream
References		https://access.redhat.com/errata/RHSA-2025:9396

Tue, 10 Jun 2025 19:00:00 +0000

Type	Values Removed	Values Added
Metrics	threat_severity `Moderate`	threat_severity `Important`

Fri, 06 Jun 2025 10:15:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:/o:redhat:enterprise_linux:10
Metrics	cvssV3_1 `{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L'}`	cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}`

Mon, 12 May 2025 20:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Apache Apache http Server Debian Debian debian Linux
Weaknesses		NVD-CWE-noinfo
CPEs		cpe:2.3:a:apache:http_server:-:::::::* cpe:2.3:o:debian:debian_linux:11.0:::::::* cpe:2.3:o:redhat:enterprise_linux:7.0:::::::* cpe:2.3:o:redhat:enterprise_linux:8.0::::-::: cpe:2.3:o:redhat:enterprise_linux:9.0:::::::*
Vendors & Products		Apache Apache http Server Debian Debian debian Linux

Thu, 08 May 2025 11:45:00 +0000

Type	Values Removed	Values Added
References		https://lists.debian.org/debian-lts-announce/2025/05/msg00007.html

Wed, 07 May 2025 15:00:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:/a:redhat:enterprise_linux:8

Wed, 07 May 2025 02:30:00 +0000

Type	Values Removed	Values Added
CPEs	~~cpe:/o:redhat:enterprise_linux:8~~	cpe:/a:redhat:enterprise_linux:8::appstream
References		https://access.redhat.com/errata/RHSA-2025:4597

Fri, 02 May 2025 02:45:00 +0000

Type	Values Removed	Values Added
References		https://nvd.nist.gov/vuln/detail/CVE-2025-3891 https://www.cve.org/CVERecord?id=CVE-2025-3891
Metrics	threat_severity `None`	threat_severity `Moderate`

Tue, 29 Apr 2025 14:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 29 Apr 2025 12:15:00 +0000

Type	Values Removed	Values Added
Description		A flaw was found in the mod_auth_openidc module for Apache httpd. This flaw allows a remote, unauthenticated attacker to trigger a denial of service by sending an empty POST request when the OIDCPreservePost directive is enabled. The server crashes consistently, affecting availability.
Title		Mod_auth_openidc: dos via empty post in mod_auth_openidc with oidcpreservepost enabled
First Time appeared		Redhat Redhat enterprise Linux
Weaknesses		CWE-248
CPEs		cpe:/o:redhat:enterprise_linux:7 cpe:/o:redhat:enterprise_linux:8 cpe:/o:redhat:enterprise_linux:9
Vendors & Products		Redhat Redhat enterprise Linux
References		https://access.redhat.com/security/cve/CVE-2025-3891 https://bugzilla.redhat.com/show_bug.cgi?id=2361633
Metrics		cvssV3_1 `{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L'}`

MITRE

Status: PUBLISHED

Assigner: redhat

Published: 2025-04-29T11:56:50.808Z

Updated: 2025-07-01T01:53:32.168Z

Reserved: 2025-04-23T06:53:53.124Z

Link: CVE-2025-3891

Vulnrichment

Updated: 2025-05-08T11:02:57.903Z

NVD

Status : Modified

Published: 2025-04-29T12:15:32.137

Modified: 2025-07-01T02:15:21.967

Link: CVE-2025-3891

Redhat

Severity : Important

Publid Date: 2025-04-29T11:37:07Z

Links: CVE-2025-3891 - Bugzilla

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Exploitation none

Automatable yes

Technical Impact partial

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object