Threat Intelligence Database

Red Hat has issued a security advisory for the Apache HTTP Server (httpd) packages addressing multiple vulnerabilities in mod_rewrite and mod_proxy modules. The issues include improper escaping of output, substitution encoding problems, null pointer dereference, potential server-side request forgery (SSRF), and encoding problems. These vulnerabilities affect Red Hat Enterprise Linux 9 and its Extended Update Support and Extended Life Cycle versions across multiple architectures. The advisory rates the update as important and provides updated packages to remediate these issues.

Red Hat has issued a security advisory for the Apache HTTP Server (httpd) packages addressing two vulnerabilities: an encoding problem in mod_proxy (CVE-2024-38473) and a potential server-side request forgery (SSRF) in mod_rewrite (CVE-2024-39573). These issues affect Red Hat Enterprise Linux 9.2 Extended Update Support and related variants. The update is rated as having a moderate security impact. Red Hat has released updated packages to fix these vulnerabilities.

This advisory addresses two security vulnerabilities in the Apache HTTP Server (httpd) 2.4 packages provided by Red Hat. The first vulnerability (CVE-2025-55753) involves unintended retry intervals in the mod_md (ACME) module. The second vulnerability (CVE-2025-58098) concerns Server Side Includes (SSI) adding query strings to the #exec cmd directive. Red Hat has issued an important security update for Red Hat Enterprise Linux 8.2 to address these issues. The advisory does not provide a CVSS score but rates the impact as important.

This advisory addresses two security vulnerabilities in the Apache HTTP Server (httpd) version 2.4 packages provided by Red Hat. The first vulnerability (CVE-2025-55753) involves unintended retry intervals in the mod_md (ACME) module. The second vulnerability (CVE-2025-58098) concerns Server Side Includes (SSI) adding query strings to the #exec cmd= directive. Red Hat has released security updates for Red Hat Enterprise Linux 8.4 to fix these issues. The update is rated as having an Important security impact by Red Hat. No CVSS scores are provided in the advisory. The vulnerabilities relate to CWE-190 (Integer Overflow or Wraparound) and CWE-201 (Information Exposure).

Red Hat issued a security advisory for the Apache HTTP Server (httpd) 2.4 packages addressing two vulnerabilities: CVE-2025-55753 in mod_md related to unintended retry intervals, and CVE-2025-58098 in Server Side Includes where query strings are added to #exec cmd= commands. The update is rated as Important by Red Hat Product Security and affects Red Hat Enterprise Linux 8.8 variants. The advisory provides updated packages to fix these issues.

The httpd packages provide the Apache HTTP Server, a powerful, efficient, and extensible web server. Security Fix(es): * httpd: Security issues via?backend applications whose response headers are malicious or exploitable (CVE-2024-38476) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Red Hat JBoss Core Services is a set of supplementary software for Red Hat JBoss middleware products. This software, such as Apache HTTP Server, is common to multiple JBoss middleware products and packaged under Red Hat JBoss Core Services, to allow for faster distribution of updates and for a more consistent update experience. This release of Red Hat JBoss Core Services Apache HTTP Server 2.4.62 Service Pack 1 serves as a replacement for Red Hat JBoss Core Services Apache HTTP Server 2.4.62, and includes bug fixes and enhancements, which are documented in the Release Notes linked to in the References section. Security Fix(es): * httpd: HTTP Session Hijack via a TLS upgrade [jbcs-httpd-2.4] (CVE-2025-49812) * httpd: access control bypass by trusted clients is possible using TLS 1.3 session resumption [jbcs-httpd-2.4] (CVE-2025-23048) * httpd: insufficient escaping of user-supplied data in mod_ssl [jbcs-httpd-2.4] (CVE-2024-47252) * httpd: untrusted input from a client causes an assertion to fail in the Apache mod_proxy_http2 module [jbcs-httpd-2.4] (CVE-2025-49630) * jbcs-httpd24-mod_security: ModSecurity Has Possible DoS Vulnerability [jbcs-httpd-2.4] (CVE-2025-47947) A Red Hat Security Bulletin which addresses further details about this flaw is available in the References section. For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

The httpd packages provide the Apache HTTP Server, a powerful, efficient, and extensible web server. Security Fix(es): * httpd: HTTP Session Hijack via a TLS upgrade (CVE-2025-49812) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Red Hat JBoss Core Services is a set of supplementary software for Red Hat JBoss middleware products. This software, such as Apache HTTP Server, is common to multiple JBoss middleware products and packaged under Red Hat JBoss Core Services, to allow for faster distribution of updates and for a more consistent update experience. This release of Red Hat JBoss Core Services Apache HTTP Server 2.4.62 Service Pack 4 serves as a replacement for Red Hat JBoss Core Services Apache HTTP Server 2.4.62 Service Pack 3, and includes bug fixes and enhancements, which are documented in the Release Notes linked to in the References section. Security Fix(es): * jbcs-httpd24-httpd: Apache HTTP Server mod_proxy_ajp: Arbitrary code execution via heap-based buffer overflow (CVE-2026-28780) * jbcs-httpd24-httpd: HTTP/2: Remote Denial of Service via compression bomb and Slowloris-style attack (CVE-2026-49975) * jbcs-httpd24-mod_http2: HTTP/2: Remote Denial of Service via compression bomb and Slowloris-style attack (CVE-2026-49975) * mod_proxy_ajp.so: heap-based buffer over-read due to missing null-termination check (CVE-2026-34032) * mod_proxy_ajp.so: heap-based buffer over-read and memory disclosure in ajp_parse_data() (CVE-2026-34059) * mod_authn_socache.so: NULL pointer dereference can cause a child process crash (CVE-2026-33007) * mod_proxy_ajp.so: off-by-one out-of-bounds reads in AJP getter functions (CVE-2026-33857) * mod_dav_lock.so: NULL pointer dereference via specially crafted request (CVE-2026-29169) * jbcs-httpd24-mod_md: unrestricted OCSP response leads to resource exhaustion (CVE-2026-29168) * jbcs-httpd24-httpd: Apache HTTP Server: HTTP/2 DoS by Memory Increase (CVE-2025-53020) * nghttp2: nghttp2: Denial of Service via malformed HTTP/2 frames after session termination (CVE-2026-27135) A Red Hat Security Bulletin which addresses further details about this flaw is available in the References section. For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.