{"api_version":"1","generated_at":"2026-04-23T04:34:07+00:00","cve":"CVE-2023-25690","urls":{"html":"https://cve.report/CVE-2023-25690","api":"https://cve.report/api/cve/CVE-2023-25690.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2023-25690","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2023-25690"},"summary":{"title":"CVE-2023-25690","description":"Some mod_proxy configurations on Apache HTTP Server versions 2.4.0 through 2.4.55 allow a HTTP Request Smuggling attack.\n\n\n\n\nConfigurations are affected when mod_proxy is enabled along with some form of RewriteRule\n or ProxyPassMatch in which a non-specific pattern matches\n some portion of the user-supplied request-target (URL) data and is then\n re-inserted into the proxied request-target using variable \nsubstitution. For example, something like:\n\n\n\n\nRewriteEngine on\nRewriteRule \"^/here/(.*)\" \"http://example.com:8080/elsewhere?$1\"; [P]\nProxyPassReverse /here/ http://example.com:8080/\n\n\nRequest splitting/smuggling could result in bypass of access controls in the proxy server, proxying unintended URLs to existing origin servers, and cache poisoning. Users are recommended to update to at least version 2.4.56 of Apache HTTP Server.","state":"PUBLIC","assigner":"security@apache.org","published_at":"2023-03-07 16:15:00","updated_at":"2024-01-02 16:15:00"},"problem_types":["CWE-444"],"metrics":[],"references":[{"url":"http://packetstormsecurity.com/files/176334/Apache-2.4.55-mod_proxy-HTTP-Request-Smuggling.html","name":"http://packetstormsecurity.com/files/176334/Apache-2.4.55-mod_proxy-HTTP-Request-Smuggling.html","refsource":"","tags":[],"title":"","mime":"","httpstatus":"200","archivestatus":"404"},{"url":"https://lists.debian.org/debian-lts-announce/2023/04/msg00028.html","name":"https://lists.debian.org/debian-lts-announce/2023/04/msg00028.html","refsource":"MISC","tags":[],"title":"[SECURITY] [DLA 3401-1] apache2 security update","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://httpd.apache.org/security/vulnerabilities_24.html","name":"https://httpd.apache.org/security/vulnerabilities_24.html","refsource":"MISC","tags":[],"title":"Apache HTTP Server 2.4 vulnerabilities - The Apache HTTP Server Project","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://security.gentoo.org/glsa/202309-01","name":"https://security.gentoo.org/glsa/202309-01","refsource":"MISC","tags":[],"title":"Apache HTTPD: Multiple Vulnerabilities (GLSA 202309-01) — Gentoo security","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://www.cve.org/CVERecord?id=CVE-2023-25690","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-25690","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2023","cve_id":"25690","vulnerable":"1","versionEndIncluding":"2.4.55","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"apache","cpe5":"http_server","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[{"cve":"CVE-2023-25690","qid":"150660","title":"Apache HTTP Server Prior to 2.4.56 Multiple Security Vulnerabilities"},{"cve":"CVE-2023-25690","qid":"160534","title":"Oracle Enterprise Linux Security Update for httpd (ELSA-2023-1593)"},{"cve":"CVE-2023-25690","qid":"160539","title":"Oracle Enterprise Linux Security Update for httpd and mod_http2 (ELSA-2023-1670)"},{"cve":"CVE-2023-25690","qid":"160540","title":"Oracle Enterprise Linux Security Update for httpd:2.4 (ELSA-2023-1673)"},{"cve":"CVE-2023-25690","qid":"181660","title":"Debian Security Update for apache2 (DSA 5376-1)"},{"cve":"CVE-2023-25690","qid":"181753","title":"Debian Security Update for apache2 (DLA 3401-1)"},{"cve":"CVE-2023-25690","qid":"184656","title":"Debian Security Update for apache2 (CVE-2023-25690)"},{"cve":"CVE-2023-25690","qid":"199231","title":"Ubuntu Security Notification for Apache Hypertext Transfer Protocol (HTTP) Server Vulnerabilities (USN-5942-1)"},{"cve":"CVE-2023-25690","qid":"199481","title":"Ubuntu Security Notification for Apache Hypertext Transfer Protocol (HTTP) Server Vulnerability (USN-5942-2)"},{"cve":"CVE-2023-25690","qid":"241313","title":"Red Hat Update for httpd (RHSA-2023:1593)"},{"cve":"CVE-2023-25690","qid":"241314","title":"Red Hat Update for httpd:2.4 (RHSA-2023:1596)"},{"cve":"CVE-2023-25690","qid":"241323","title":"Red Hat Update for httpd:2.4 (RHSA-2023:1597)"},{"cve":"CVE-2023-25690","qid":"241330","title":"Red Hat Update for httpd and mod_http2 (RHSA-2023:1670)"},{"cve":"CVE-2023-25690","qid":"241331","title":"Red Hat Update for httpd:2.4 (RHSA-2023:1673)"},{"cve":"CVE-2023-25690","qid":"241372","title":"Red Hat Update for httpd and mod_http2 (RHSA-2023:1916)"},{"cve":"CVE-2023-25690","qid":"241556","title":"Red Hat Update for httpd24-httpd (RHSA-2023:3292)"},{"cve":"CVE-2023-25690","qid":"241574","title":"Red Hat Update for JBoss Core Services (RHSA-2023:3354)"},{"cve":"CVE-2023-25690","qid":"241595","title":"Red Hat Update for httpd:2.4 (RHSA-2023:1672)"},{"cve":"CVE-2023-25690","qid":"241656","title":"Red Hat Update for httpd:2.4 (RHSA-2023:1547)"},{"cve":"CVE-2023-25690","qid":"283776","title":"Fedora Security Update for httpd (FEDORA-2023-54dae7b78a)"},{"cve":"CVE-2023-25690","qid":"283818","title":"Fedora Security Update for httpd (FEDORA-2023-7df48f618b)"},{"cve":"CVE-2023-25690","qid":"284249","title":"Fedora Security Update for httpd (FEDORA-2023-7d14cdec4a)"},{"cve":"CVE-2023-25690","qid":"354828","title":"Amazon Linux Security Advisory for httpd : ALAS2-2023-1989"},{"cve":"CVE-2023-25690","qid":"354845","title":"Amazon Linux Security Advisory for httpd24 : ALAS-2023-1711"},{"cve":"CVE-2023-25690","qid":"355276","title":"Amazon Linux Security Advisory for httpd : ALAS2023-2023-136"},{"cve":"CVE-2023-25690","qid":"378328","title":"IBM Hypertext Transfer Protocol (HTTP) Server Bypass Access Control Vulnerabilty (6963650)"},{"cve":"CVE-2023-25690","qid":"378424","title":"Alibaba Cloud Linux Security Update for httpd (ALINUX2-SA-2023:0018)"},{"cve":"CVE-2023-25690","qid":"378450","title":"F5 BIG-IP Apache Vulnerability (K000133098)"},{"cve":"CVE-2023-25690","qid":"378489","title":"NetApp Clustered Data Open Network Technology for Appliance Products (ONTAP) Denial of Service (DoS) Vulnerability (NTAP-20230316-0007)"},{"cve":"CVE-2023-25690","qid":"378677","title":"Oracle Hypertext Transfer Protocol Server (HTTP Server) Server Multiple Vulnerabilities (CPUJUL2023)"},{"cve":"CVE-2023-25690","qid":"502676","title":"Alpine Linux Security Update for apache2"},{"cve":"CVE-2023-25690","qid":"503859","title":"Alpine Linux Security Update for apache2"},{"cve":"CVE-2023-25690","qid":"672896","title":"EulerOS Security Update for httpd (EulerOS-SA-2023-1805)"},{"cve":"CVE-2023-25690","qid":"672908","title":"EulerOS Security Update for httpd (EulerOS-SA-2023-1823)"},{"cve":"CVE-2023-25690","qid":"672999","title":"EulerOS Security Update for httpd (EulerOS-SA-2023-1847)"},{"cve":"CVE-2023-25690","qid":"673013","title":"EulerOS Security Update for httpd (EulerOS-SA-2023-1872)"},{"cve":"CVE-2023-25690","qid":"673063","title":"EulerOS Security Update for httpd (EulerOS-SA-2023-2191)"},{"cve":"CVE-2023-25690","qid":"673065","title":"EulerOS Security Update for httpd (EulerOS-SA-2023-2148)"},{"cve":"CVE-2023-25690","qid":"673142","title":"EulerOS Security Update for httpd (EulerOS-SA-2023-2271)"},{"cve":"CVE-2023-25690","qid":"673150","title":"EulerOS Security Update for httpd (EulerOS-SA-2023-2295)"},{"cve":"CVE-2023-25690","qid":"691094","title":"Free Berkeley Software Distribution (FreeBSD) Security Update for apache httpd (8edeb3c1-bfe7-11ed-96f5-3497f65b111b)"},{"cve":"CVE-2023-25690","qid":"730758","title":"Apache Hypertext Transfer Protocol (HTTP) Server Request Smuggling Vulnerability"},{"cve":"CVE-2023-25690","qid":"753799","title":"SUSE Enterprise Linux Security Update for apache2 (SUSE-SU-2023:0764-1)"},{"cve":"CVE-2023-25690","qid":"753813","title":"SUSE Enterprise Linux Security Update for apache2 (SUSE-SU-2023:0799-1)"},{"cve":"CVE-2023-25690","qid":"753814","title":"SUSE Enterprise Linux Security Update for apache2 (SUSE-SU-2023:0803-1)"},{"cve":"CVE-2023-25690","qid":"753845","title":"SUSE Enterprise Linux Security Update for apache2 (SUSE-SU-2023:1573-1)"},{"cve":"CVE-2023-25690","qid":"906680","title":"Common Base Linux Mariner (CBL-Mariner) Security Update for httpd (25605-3)"},{"cve":"CVE-2023-25690","qid":"906720","title":"Common Base Linux Mariner (CBL-Mariner) Security Update for httpd (25614-1)"},{"cve":"CVE-2023-25690","qid":"940978","title":"AlmaLinux Security Update for httpd:2.4 (ALSA-2023:1673)"},{"cve":"CVE-2023-25690","qid":"940983","title":"AlmaLinux Security Update for httpd and mod_http2 (ALSA-2023:1670)"},{"cve":"CVE-2023-25690","qid":"960909","title":"Rocky Linux Security Update for httpd:2.4 (RLSA-2023:1673)"},{"cve":"CVE-2023-25690","qid":"960910","title":"Rocky Linux Security Update for httpd and mod_http2 (RLSA-2023:1670)"}]},"source_records":{"cve_program":{"data_version":"4.0","data_type":"CVE","data_format":"MITRE","CVE_data_meta":{"ID":"CVE-2023-25690","ASSIGNER":"security@apache.org","STATE":"PUBLIC"},"description":{"description_data":[{"lang":"eng","value":"Some mod_proxy configurations on Apache HTTP Server versions 2.4.0 through 2.4.55 allow a HTTP Request Smuggling attack.\n\n\n\n\nConfigurations are affected when mod_proxy is enabled along with some form of RewriteRule\n or ProxyPassMatch in which a non-specific pattern matches\n some portion of the user-supplied request-target (URL) data and is then\n re-inserted into the proxied request-target using variable \nsubstitution. For example, something like:\n\n\n\n\nRewriteEngine on\nRewriteRule \"^/here/(.*)\" \"http://example.com:8080/elsewhere?$1\"; [P]\nProxyPassReverse /here/ http://example.com:8080/\n\n\nRequest splitting/smuggling could result in bypass of access controls in the proxy server, proxying unintended URLs to existing origin servers, and cache poisoning. Users are recommended to update to at least version 2.4.56 of Apache HTTP Server.\n\n\n"}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')","cweId":"CWE-444"}]}]},"affects":{"vendor":{"vendor_data":[{"vendor_name":"Apache Software Foundation","product":{"product_data":[{"product_name":"Apache HTTP Server","version":{"version_data":[{"version_affected":"<=","version_name":"2.4.0","version_value":"2.4.55"}]}}]}}]}},"references":{"reference_data":[{"url":"https://httpd.apache.org/security/vulnerabilities_24.html","refsource":"MISC","name":"https://httpd.apache.org/security/vulnerabilities_24.html"},{"url":"https://lists.debian.org/debian-lts-announce/2023/04/msg00028.html","refsource":"MISC","name":"https://lists.debian.org/debian-lts-announce/2023/04/msg00028.html"},{"url":"https://security.gentoo.org/glsa/202309-01","refsource":"MISC","name":"https://security.gentoo.org/glsa/202309-01"}]},"generator":{"engine":"Vulnogram 0.1.0-dev"},"source":{"discovery":"UNKNOWN"},"credits":[{"lang":"en","value":"Lars Krapf of Adobe"}]},"nvd":{"publishedDate":"2023-03-07 16:15:00","lastModifiedDate":"2024-01-02 16:15:00","problem_types":["CWE-444"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH","baseScore":9.8,"baseSeverity":"CRITICAL"},"exploitabilityScore":3.9,"impactScore":5.9}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:apache:http_server:*:*:*:*:*:*:*:*","versionStartIncluding":"2.4.0","versionEndIncluding":"2.4.55","cpe_name":[]}]}]}},"legacy_mitre":{"record":null,"notes":[]}}}