A flaw was found in the mod_auth_openidc module for Apache httpd. This flaw allows a remote, unauthenticated attacker to trigger a denial of service by sending an empty POST request when the OIDCPreservePost directive is enabled. The server crashes consistently, affecting availability.
Fixes

Solution

No solution given by the vendor.


Workaround

No workaround given by the vendor.

History

Mon, 28 Jul 2025 13:30:00 +0000


Wed, 16 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00707}

epss

{'score': 0.0049}


Tue, 01 Jul 2025 14:45:00 +0000

Type Values Removed Values Added
CPEs cpe:/a:redhat:rhel_aus:8.2
cpe:/a:redhat:rhel_aus:8.4
cpe:/a:redhat:rhel_aus:8.6
cpe:/a:redhat:rhel_e4s:8.6
cpe:/a:redhat:rhel_e4s:8.8
cpe:/a:redhat:rhel_e4s:9.0
cpe:/a:redhat:rhel_e4s:9.2
cpe:/a:redhat:rhel_eus:9.4
cpe:/a:redhat:rhel_tus:8.6
cpe:/a:redhat:rhel_tus:8.8

Tue, 01 Jul 2025 02:00:00 +0000

Type Values Removed Values Added
First Time appeared Redhat rhel Aus
Redhat rhel E4s
Redhat rhel Eus
Redhat rhel Tus
CPEs cpe:/a:redhat:rhel_aus:8.2::appstream
cpe:/a:redhat:rhel_aus:8.4::appstream
cpe:/a:redhat:rhel_aus:8.6::appstream
cpe:/a:redhat:rhel_e4s:8.6::appstream
cpe:/a:redhat:rhel_e4s:8.8::appstream
cpe:/a:redhat:rhel_e4s:9.0::appstream
cpe:/a:redhat:rhel_e4s:9.2::appstream
cpe:/a:redhat:rhel_eus:9.4::appstream
cpe:/a:redhat:rhel_tus:8.6::appstream
cpe:/a:redhat:rhel_tus:8.8::appstream
Vendors & Products Redhat rhel Aus
Redhat rhel E4s
Redhat rhel Eus
Redhat rhel Tus
References

Tue, 24 Jun 2025 02:30:00 +0000

Type Values Removed Values Added
CPEs cpe:/a:redhat:enterprise_linux:9

Mon, 23 Jun 2025 18:45:00 +0000

Type Values Removed Values Added
CPEs cpe:/o:redhat:enterprise_linux:9 cpe:/a:redhat:enterprise_linux:9::appstream
References

Tue, 10 Jun 2025 19:00:00 +0000

Type Values Removed Values Added
Metrics threat_severity

Moderate

threat_severity

Important


Fri, 06 Jun 2025 10:15:00 +0000

Type Values Removed Values Added
CPEs cpe:/o:redhat:enterprise_linux:10
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L'}

cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}


Mon, 12 May 2025 20:00:00 +0000

Type Values Removed Values Added
First Time appeared Apache
Apache http Server
Debian
Debian debian Linux
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:a:apache:http_server:-:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:-:*:*:*
cpe:2.3:o:redhat:enterprise_linux:9.0:*:*:*:*:*:*:*
Vendors & Products Apache
Apache http Server
Debian
Debian debian Linux

Thu, 08 May 2025 11:45:00 +0000

Type Values Removed Values Added
References

Wed, 07 May 2025 15:00:00 +0000

Type Values Removed Values Added
CPEs cpe:/a:redhat:enterprise_linux:8

Wed, 07 May 2025 02:30:00 +0000

Type Values Removed Values Added
CPEs cpe:/o:redhat:enterprise_linux:8 cpe:/a:redhat:enterprise_linux:8::appstream
References

Fri, 02 May 2025 02:45:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

threat_severity

Moderate


Tue, 29 Apr 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Tue, 29 Apr 2025 12:15:00 +0000

Type Values Removed Values Added
Description A flaw was found in the mod_auth_openidc module for Apache httpd. This flaw allows a remote, unauthenticated attacker to trigger a denial of service by sending an empty POST request when the OIDCPreservePost directive is enabled. The server crashes consistently, affecting availability.
Title Mod_auth_openidc: dos via empty post in mod_auth_openidc with oidcpreservepost enabled
First Time appeared Redhat
Redhat enterprise Linux
Weaknesses CWE-248
CPEs cpe:/o:redhat:enterprise_linux:7
cpe:/o:redhat:enterprise_linux:8
cpe:/o:redhat:enterprise_linux:9
Vendors & Products Redhat
Redhat enterprise Linux
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L'}


cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published:

Updated: 2025-08-06T04:55:01.988Z

Reserved: 2025-04-23T06:53:53.124Z

Link: CVE-2025-3891

cve-icon Vulnrichment

Updated: 2025-05-08T11:02:57.903Z

cve-icon NVD

Status : Modified

Published: 2025-04-29T12:15:32.137

Modified: 2025-07-28T14:15:27.493

Link: CVE-2025-3891

cve-icon Redhat

Severity : Important

Publid Date: 2025-04-29T11:37:07Z

Links: CVE-2025-3891 - Bugzilla

cve-icon OpenCVE Enrichment

No data.