CVE-2025-3891 is a high-severity vulnerability identified in the mod_auth_openidc module for Apache httpd, specifically affecting version 2.0.0. This module is used to provide OpenID Connect authentication capabilities within Apache HTTP Server environments. The vulnerability arises when the OIDCPreservePost directive is enabled. Under this configuration, a remote attacker can send an empty POST request to the server, which triggers an uncaught exception leading to a consistent crash of the Apache httpd process. This results in a denial of service (DoS) condition, impacting the availability of the web service. Notably, the attack requires no authentication or user interaction, and can be executed remotely over the network. The CVSS v3.1 base score is 7.5, reflecting a high severity due to the ease of exploitation (network vector, no privileges required, no user interaction) and the impact limited to availability (no confidentiality or integrity loss). The vulnerability does not appear to have known exploits in the wild yet, and no patches or mitigations have been explicitly linked in the provided information. The flaw is specific to Red Hat Enterprise Linux 8 environments running Apache httpd with mod_auth_openidc 2.0.0 and the OIDCPreservePost directive enabled, which is a configuration that preserves POST data during authentication redirects. This vulnerability could be exploited by attackers to disrupt services relying on this authentication module, potentially affecting web applications and APIs that depend on OpenID Connect for authentication.

For European organizations, the primary impact of CVE-2025-3891 is the potential disruption of web services that utilize Apache httpd with the mod_auth_openidc module configured with OIDCPreservePost enabled. This could affect government portals, financial institutions, healthcare providers, and enterprises that rely on OpenID Connect for secure authentication. The denial of service could lead to downtime, loss of user trust, and operational disruptions. Since the vulnerability allows unauthenticated remote attackers to crash the server, it could be leveraged in targeted attacks or opportunistic scanning campaigns to degrade service availability. Organizations with critical web-facing services in sectors such as finance, public administration, and critical infrastructure could face significant operational risks. Additionally, the lack of confidentiality or integrity impact means data breaches are unlikely, but service unavailability can still have severe business consequences, including regulatory compliance issues under GDPR if service continuity is mandated. The vulnerability's ease of exploitation and lack of authentication requirements increase the risk profile for European entities hosting affected services.

1. Immediate mitigation involves disabling the OIDCPreservePost directive if it is not essential for the application's functionality, thereby preventing the vulnerable code path from being triggered. 2. Organizations should monitor for updates or patches from Red Hat or the mod_auth_openidc maintainers and apply them promptly once available. 3. Implement network-level protections such as Web Application Firewalls (WAFs) to detect and block anomalous empty POST requests targeting the affected endpoints. 4. Employ rate limiting and anomaly detection on POST requests to reduce the risk of automated exploitation attempts. 5. Conduct thorough configuration audits to identify all Apache httpd instances using mod_auth_openidc and verify the OIDCPreservePost setting. 6. Prepare incident response plans to quickly restart or failover affected services in case of a DoS attack. 7. Consider deploying redundant or load-balanced web server architectures to minimize downtime impact. 8. Engage in proactive threat hunting and monitoring for unusual POST request patterns that could indicate exploitation attempts.