CVE-2025-54090

Published Jul 23, 2025

Last updated 4 months ago

CVSS medium 6.3

Overview

Description
A bug in Apache HTTP Server 2.4.64 results in all "RewriteCond expr ..." tests evaluating as "true". Users are recommended to upgrade to version 2.4.65, which fixes the issue.
Source
security@apache.org
NVD status
Modified
Products
http_server

Risk scores

CVSS 3.1

Type
Secondary
Base score
6.3
Impact score
3.4
Exploitability score
2.8
Vector string
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Severity
MEDIUM

Weaknesses

security@apache.org
CWE-253

Social media

Hype score
Not currently trending

  1. Arcserve UDP に同梱される Apache HTTP Server の脆弱性 CVE-2025-54090 について、Arcserve UDP 10.3 へのアップグレードをお勧めします。 参考:Arcserve UDP に同梱されるサード パーティ製品 (Apache/OpenSSL/Tomcat/OpenJDK/JRE) のアッ

    @Arcserve_jp

    22 Dec 2025

    29 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  2. CVE-2025-54090: Apache HTTP Server: 'RewriteCond expr' always evaluates to true in 2.4.64 https://t.co/n2hPCzKyGb Users are recommended to upgrade to version 2.4.65, which fixes the issue

    @oss_security

    24 Jul 2025

    498 Impressions

    2 Retweets

    6 Likes

    2 Bookmarks

    0 Replies

    0 Quotes

  3. 警告: kusanagi-httpd24 脆弱性情報 概要 公開日時 2025-07-24 深刻度 警告 モジュール kusanagi-httpd24 対象 Security Edition 脆弱性情報 kusanagi-httpd24の脆弱性情報を公開しました。修正した脆弱性は以下の通りとなります

    @kusanagi_saya

    24 Jul 2025

    114 Impressions

    3 Retweets

    2 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  4. kusanagi-httpd24 モジュール更新情報 2.4.65-1 KUSANAGI 9 を構成している各モジュールのアップデートを行いました。 アップデートにより適用される各モジュールのバージョンは、以下のとおりとなります。 httpd24 2.4

    @kusanagi_saya

    24 Jul 2025

    99 Impressions

    2 Retweets

    2 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  5. CVE-2025-54090: Apache HTTP Server: 'RewriteCond expr' always evaluates to true #HackerNews https://t.co/26xIoWiVz4 https://t.co/MK4TeFsOpU

    @hackernewstop5

    24 Jul 2025

    64 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  6. CVE-2025-54090 ってなにもん

    @hawksnowlog

    24 Jul 2025

    18 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  7. kusanagi-httpd24 モジュール更新情報 2.4.65-1.el9 KUSANAGI 9 を構成している各モジュールのアップデートを行いました。 アップデートにより適用される各モジュールのバージョンは、以下のとおりとなります。 httpd24

    @kusanagi_saya

    24 Jul 2025

    100 Impressions

    2 Retweets

    3 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  8. CVE-2025-54090: Apache HTTP Server: 'RewriteCond expr' always evaluates to true https://t.co/VEQTKK8i1W 4

    @cevaboyz

    24 Jul 2025

    13 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  9. CVE-2025-54090 A bug in Apache HTTP Server 2.4.64 results in all "RewriteCond expr ..." tests evaluating as "true". Users are recommended to upgrade to version 2.4.65, which fixe… https://t.co/6sZyvXa3fx

    @CVEnew

    23 Jul 2025

    411 Impressions

    2 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

Configurations

Related CVEs

  1. Vulnerability in the Oracle HTTP Server, Oracle Weblogic Server Proxy Plug-in product of Oracle Fusion Middleware (component: Weblogic Server Proxy Plug-in for Apache HTTP Server, Weblogic Server Proxy Plug-in for IIS). Supported versions that are affected are 12.2.1.4.0, 14.1.1.0.0 and 14.1.2.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle HTTP Server, Oracle Weblogic Server Proxy Plug-in. While the vulnerability is in Oracle HTTP Server, Oracle Weblogic Server Proxy Plug-in, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle HTTP Server, Oracle Weblogic Server Proxy Plug-in accessible data as well as unauthorized access to critical data or complete access to all Oracle HTTP Server, Oracle Weblogic Server Proxy Plug-in accessible data. Note: Affected version for Weblogic Server Proxy Plug-in for IIS is 12.2.1.4.0 only. CVSS 3.1 Base Score 10.0 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N).CVE-2026-21962
  2. Apache HTTP Server 2.4.65 and earlier with Server Side Includes (SSI) enabled and mod_cgid (but not mod_cgi) passes the shell-escaped query string to #exec cmd="..." directives. This issue affects Apache HTTP Server before 2.4.66. Users are recommended to upgrade to version 2.4.66, which fixes the issue.CVE-2025-58098
  3. mod_userdir+suexec bypass via AllowOverride FileInfo vulnerability in Apache HTTP Server. Users with access to use the RequestHeader directive in htaccess can cause some CGI scripts to run under an unexpected userid. This issue affects Apache HTTP Server: from 2.4.7 through 2.4.65. Users are recommended to upgrade to version 2.4.66, which fixes the issue.CVE-2025-66200
  4. Server-Side Request Forgery (SSRF) vulnerability  in Apache HTTP Server on Windows with AllowEncodedSlashes On and MergeSlashes Off  allows to potentially leak NTLM hashes to a malicious server via SSRF and malicious requests or content Users are recommended to upgrade to version 2.4.66, which fixes the issue.CVE-2025-59775
  5. Improper Neutralization of Escape, Meta, or Control Sequences vulnerability in Apache HTTP Server through environment variables set via the Apache configuration unexpectedly superseding variables calculated by the server for CGI programs. This issue affects Apache HTTP Server from 2.4.0 through 2.4.65. Users are recommended to upgrade to version 2.4.66 which fixes the issue.CVE-2025-65082

References

Sources include official advisories and independent security research.