Vulnerability Description
A bug in Apache HTTP Server 2.4.64 results in all "RewriteCond expr ..." tests evaluating as "true". Users are recommended to upgrade to version 2.4.65, which fixes the issue.
CVSS Score
6.3
MEDIUM
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Apache | Http Server | 2.4.64 |
Related Weaknesses (CWE)
References
- https://httpd.apache.org/security/vulnerabilities_24.htmlRelease Notes
- http://www.openwall.com/lists/oss-security/2025/07/24/2
- https://lists.debian.org/debian-lts-announce/2025/08/msg00009.html
- https://news.ycombinator.com/item?id=44666896Issue TrackingPatch
FAQ
What is CVE-2025-54090?
CVE-2025-54090 is a vulnerability with a CVSS score of 6.3 (MEDIUM). A bug in Apache HTTP Server 2.4.64 results in all "RewriteCond expr ..." tests evaluating as "true". Users are recommended to upgrade to version 2.4.65, which fixes the issue.
How severe is CVE-2025-54090?
CVE-2025-54090 has been rated MEDIUM with a CVSS base score of 6.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2025-54090?
Check the references section above for vendor advisories and patch information. Affected products include: Apache Http Server.