CVE-2025-3891 is a high-severity vulnerability affecting the mod_auth_openidc module version 2.0.0 used with Apache httpd, specifically on Red Hat Enterprise Linux 8. The flaw arises when the OIDCPreservePost directive is enabled. An unauthenticated remote attacker can exploit this vulnerability by sending an empty POST request to the server. This triggers an uncaught exception within the module, causing the Apache server process to crash consistently. The vulnerability directly impacts the availability of the affected web server, resulting in a denial of service (DoS). Since no authentication or user interaction is required, the attack surface is broad, and exploitation can be automated. The vulnerability does not affect confidentiality or integrity but solely targets availability. The CVSS 3.1 base score is 7.5 (high), reflecting the ease of remote exploitation without privileges and the significant impact on service availability. No known exploits are currently reported in the wild, but the simplicity of the attack vector suggests potential for future exploitation. The vulnerability is specific to mod_auth_openidc 2.0.0 with OIDCPreservePost enabled, a configuration used to preserve POST data during OpenID Connect authentication flows, commonly deployed in environments requiring federated identity management integrated with Apache httpd servers.

For European organizations, this vulnerability poses a significant risk to the availability of web services relying on Apache httpd with mod_auth_openidc 2.0.0, especially those using Red Hat Enterprise Linux 8. Organizations in sectors such as government, finance, healthcare, and critical infrastructure that use OpenID Connect for authentication could experience service outages, disrupting business operations and potentially affecting end-user access to critical applications. The denial of service could also be leveraged as part of a larger attack campaign to cause operational disruption or as a diversion for other malicious activities. Given the unauthenticated nature of the exploit, attackers can launch attacks from anywhere, increasing the threat landscape. The impact is particularly relevant for organizations with strict uptime requirements and those that depend on Apache httpd for secure authentication workflows. Additionally, the lack of known patches at the time of disclosure increases the urgency for mitigation.

To mitigate this vulnerability, European organizations should first verify if they are running mod_auth_openidc version 2.0.0 with the OIDCPreservePost directive enabled. If so, immediate steps include: 1) Temporarily disabling the OIDCPreservePost directive if feasible, to prevent triggering the uncaught exception. 2) Applying any available patches or updates from Red Hat or the mod_auth_openidc maintainers as soon as they are released. 3) Implementing web application firewalls (WAFs) or intrusion prevention systems (IPS) to detect and block empty POST requests targeting the affected endpoints. 4) Monitoring Apache httpd logs for unusual empty POST requests and server crashes to identify potential exploitation attempts. 5) Considering rate limiting or IP reputation-based filtering to reduce the risk of automated attacks. 6) Planning for incident response readiness to quickly restore service availability in case of an attack. Organizations should also review their authentication flows to assess if alternative configurations or modules can be used to reduce dependency on the vulnerable directive until a patch is applied.