CVE-2025-3891 is a denial-of-service vulnerability found in the mod_auth_openidc module version 2.0.0 for Apache httpd, primarily distributed with Red Hat Enterprise Linux 8. The vulnerability arises when the OIDCPreservePost directive is enabled, which is intended to preserve POST data during OpenID Connect authentication flows. An attacker can send an empty POST request to the server, which triggers an uncaught exception within the module, causing the Apache httpd process to crash consistently. This results in a denial of service, impacting the availability of web services relying on this authentication module. The vulnerability requires no authentication or user interaction and can be exploited remotely over the network, making it highly accessible to attackers. The CVSS v3.1 base score is 7.5, reflecting the high impact on availability with no impact on confidentiality or integrity. Although no public exploits have been reported yet, the simplicity of the attack vector and the critical role of Apache httpd in many enterprise environments underscore the urgency of addressing this flaw. The vulnerability affects environments where mod_auth_openidc is used with the OIDCPreservePost directive enabled, which may be common in organizations implementing OpenID Connect for single sign-on or identity federation. Red Hat Enterprise Linux 8 users should monitor for patches and advisories from Red Hat and consider temporary configuration changes to mitigate risk.

The primary impact of CVE-2025-3891 is on the availability of web services using Apache httpd with mod_auth_openidc and the OIDCPreservePost directive enabled. For European organizations, this can lead to service outages, disruption of authentication flows, and potential downtime for critical applications relying on OpenID Connect authentication. Sectors such as government, finance, healthcare, and critical infrastructure that depend on Red Hat Enterprise Linux 8 and Apache httpd for secure web services are particularly vulnerable. The denial of service could be exploited to cause operational disruptions, impacting business continuity and potentially leading to financial losses or reputational damage. Since the vulnerability does not affect confidentiality or integrity, data breaches are less likely, but the loss of availability can still have severe consequences, especially for time-sensitive or mission-critical systems. The ease of exploitation without authentication increases the risk of opportunistic attacks, including automated scanning and denial-of-service campaigns targeting European organizations.

To mitigate CVE-2025-3891, organizations should first assess whether the OIDCPreservePost directive is enabled in their mod_auth_openidc configurations. If it is not essential for their authentication workflows, disabling this directive can immediately reduce exposure. Organizations should monitor Red Hat security advisories closely and apply patches or updates to mod_auth_openidc as soon as they become available. In the interim, implementing network-level protections such as web application firewalls (WAFs) or intrusion prevention systems (IPS) to detect and block anomalous empty POST requests targeting Apache httpd servers can help mitigate exploitation attempts. Additionally, rate limiting and IP reputation filtering can reduce the risk of denial-of-service attacks. Regularly auditing and testing authentication modules for robustness against malformed requests is recommended. Finally, maintaining comprehensive monitoring and alerting on Apache httpd service availability will enable rapid detection and response to potential exploitation attempts.