Vulnerability Description
In some mod_ssl configurations on Apache HTTP Server 2.4.35 through to 2.4.63, an access control bypass by trusted clients is possible using TLS 1.3 session resumption. Configurations are affected when mod_ssl is configured for multiple virtual hosts, with each restricted to a different set of trusted client certificates (for example with a different SSLCACertificateFile/Path setting). In such a case, a client trusted to access one virtual host may be able to access another virtual host, if SSLStrictSNIVHostCheck is not enabled in either virtual host.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Apache | Http Server | >= 2.4.35, < 2.4.64 |
Related Weaknesses (CWE)
References
- https://httpd.apache.org/security/vulnerabilities_24.htmlVendor Advisory
- http://www.openwall.com/lists/oss-security/2025/07/10/2
- http://www.openwall.com/lists/oss-security/2025/07/10/8
- https://lists.debian.org/debian-lts-announce/2025/08/msg00009.html
FAQ
What is CVE-2025-23048?
CVE-2025-23048 is a vulnerability with a CVSS score of 9.1 (CRITICAL). In some mod_ssl configurations on Apache HTTP Server 2.4.35 through to 2.4.63, an access control bypass by trusted clients is possible using TLS 1.3 session resumption. Configurations are affected wh...
How severe is CVE-2025-23048?
CVE-2025-23048 has been rated CRITICAL with a CVSS base score of 9.1/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2025-23048?
Check the references section above for vendor advisories and patch information. Affected products include: Apache Http Server.