CVE-2025-3891

A flaw was found in the mod_auth_openidc module for Apache httpd. This flaw allows a remote, unauthenticated attacker to trigger a denial of service by sending an empty POST request when the OIDCPreservePost directive is enabled. The server crashes consistently, affecting availability.

CVSS

No CVSS.

References

Link	Resource
https://access.redhat.com/errata/RHSA-2025:10002
https://access.redhat.com/errata/RHSA-2025:10003
https://access.redhat.com/errata/RHSA-2025:10004
https://access.redhat.com/errata/RHSA-2025:10006
https://access.redhat.com/errata/RHSA-2025:10007
https://access.redhat.com/errata/RHSA-2025:10008
https://access.redhat.com/errata/RHSA-2025:10010
https://access.redhat.com/errata/RHSA-2025:4597	Third Party Advisory
https://access.redhat.com/errata/RHSA-2025:9396
https://access.redhat.com/security/cve/CVE-2025-3891	Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=2361633	Issue Tracking
https://github.com/OpenIDC/mod_auth_openidc/commit/6a0b5f66c87184dfe0e4400f6bdd46a82dc0ec2b
https://github.com/OpenIDC/mod_auth_openidc/security/advisories/GHSA-x7cf-8wgv-5j86
https://lists.debian.org/debian-lts-announce/2025/05/msg00007.html	Mailing List Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:apache:http_server:-:*:*:*:*:*:*:*

Configuration 2 (hide)

OR	cpe:2.3:o:redhat:enterprise_linux:7.0:::::::*
	cpe:2.3:o:redhat:enterprise_linux:8.0::::-:::
	cpe:2.3:o:redhat:enterprise_linux:9.0:::::::*

Configuration 3 (hide)

cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*

History

28 Jul 2025, 14:15

Type	Values Removed	Values Added
References		() https://github.com/OpenIDC/mod_auth_openidc/commit/6a0b5f66c87184dfe0e4400f6bdd46a82dc0ec2b - () https://github.com/OpenIDC/mod_auth_openidc/security/advisories/GHSA-x7cf-8wgv-5j86 -

01 Jul 2025, 02:15

Type	Values Removed	Values Added
References		() https://access.redhat.com/errata/RHSA-2025:10007 - () https://access.redhat.com/errata/RHSA-2025:10002 - () https://access.redhat.com/errata/RHSA-2025:10004 - () https://access.redhat.com/errata/RHSA-2025:10008 - () https://access.redhat.com/errata/RHSA-2025:10010 - () https://access.redhat.com/errata/RHSA-2025:10006 - () https://access.redhat.com/errata/RHSA-2025:10003 -

23 Jun 2025, 19:15

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~7.5~~	v2 : unknown v3 : unknown
References		() https://access.redhat.com/errata/RHSA-2025:9396 -

12 May 2025, 19:36

Type	Values Removed	Values Added
First Time		Redhat enterprise Linux Apache http Server Apache Redhat Debian debian Linux Debian
References	~~() https://lists.debian.org/debian-lts-announce/2025/05/msg00007.html -~~	() https://lists.debian.org/debian-lts-announce/2025/05/msg00007.html - Mailing List, Third Party Advisory
References	~~() https://access.redhat.com/errata/RHSA-2025:4597 -~~	() https://access.redhat.com/errata/RHSA-2025:4597 - Third Party Advisory
References	~~() https://bugzilla.redhat.com/show_bug.cgi?id=2361633 -~~	() https://bugzilla.redhat.com/show_bug.cgi?id=2361633 - Issue Tracking
References	~~() https://access.redhat.com/security/cve/CVE-2025-3891 -~~	() https://access.redhat.com/security/cve/CVE-2025-3891 - Third Party Advisory
CWE		NVD-CWE-noinfo
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 7.5
CPE		cpe:2.3:o:redhat:enterprise_linux:8.0::::-::: cpe:2.3:o:redhat:enterprise_linux:9.0:::::::* cpe:2.3:a:apache:http_server:-:::::::* cpe:2.3:o:debian:debian_linux:11.0:::::::* cpe:2.3:o:redhat:enterprise_linux:7.0:::::::*

08 May 2025, 11:15

Type	Values Removed	Values Added
References		() https://lists.debian.org/debian-lts-announce/2025/05/msg00007.html -

07 May 2025, 03:15

Type	Values Removed	Values Added
CWE	~~CWE-248~~
References		() https://access.redhat.com/errata/RHSA-2025:4597 -
CVSS	v2 : ~~unknown~~ v3 : ~~5.3~~	v2 : unknown v3 : unknown

29 Apr 2025, 12:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-04-29 12:15

Updated : 2025-07-28 14:15

NVD link : CVE-2025-3891

Mitre link : CVE-2025-3891

JSON object : View

Products Affected

apache

http_server

redhat

enterprise_linux

debian

debian_linux

CWE

NVD-CWE-noinfo

JSON object

Attach tags to CVE-2025-3891

Attach tags to `CVE-2025-3891`