CVE-2025-3891 is a vulnerability identified in the mod_auth_openidc module version 2.0.0 used with Apache httpd on Red Hat Enterprise Linux 8. The flaw arises when the OIDCPreservePost directive is enabled, which is intended to preserve POST data during OpenID Connect authentication flows. An attacker can send an empty POST request to the server, which leads to an uncaught exception within the module's code. This exception causes the Apache httpd process to crash consistently, resulting in a denial of service (DoS) condition. The vulnerability can be exploited remotely without any authentication or user interaction, making it accessible to any attacker with network access to the affected server. The issue specifically impacts availability, as it does not compromise confidentiality or integrity of data. The CVSS v3.1 base score is 7.5, indicating a high severity due to the ease of exploitation (attack vector: network, attack complexity: low) and the complete loss of availability of the affected service. No known exploits have been reported in the wild as of the publication date, but the vulnerability is considered critical for environments relying on mod_auth_openidc for authentication. The flaw is rooted in improper handling of empty POST requests when preserving POST data, highlighting a need for improved input validation and exception handling within the module.

The primary impact of CVE-2025-3891 is a denial of service on web servers running Apache httpd with the vulnerable mod_auth_openidc module and the OIDCPreservePost directive enabled. This can lead to service outages, disrupting access to web applications that rely on OpenID Connect authentication. Organizations using this module for single sign-on or federated identity management may experience downtime, affecting user productivity and potentially causing business interruptions. The vulnerability does not expose sensitive data or allow unauthorized access, but the loss of availability can have cascading effects, especially for critical infrastructure or high-availability environments. Attackers can exploit this flaw remotely without credentials, increasing the risk of widespread disruption. The impact is particularly severe for organizations with public-facing authentication services or those that cannot quickly apply patches or mitigations. Additionally, repeated crashes could lead to resource exhaustion or complicate incident response efforts.

To mitigate CVE-2025-3891, organizations should first verify if the OIDCPreservePost directive is enabled in their mod_auth_openidc configuration. If it is not required, disabling this directive can prevent the vulnerability from being triggered. Applying vendor-supplied patches or updates for mod_auth_openidc as soon as they become available is critical. In the absence of an immediate patch, implementing web application firewall (WAF) rules to block or rate-limit empty POST requests targeting the affected endpoints can reduce exposure. Monitoring Apache httpd logs for unusual empty POST requests or repeated crashes can help detect exploitation attempts. Additionally, deploying redundancy and failover mechanisms can minimize downtime if a DoS occurs. Security teams should also review and test their incident response plans to handle potential service outages caused by this vulnerability. Finally, keeping the mod_auth_openidc module and Apache httpd updated with the latest stable releases will help prevent similar issues.