CVE-2025-3891

NameCVE-2025-3891
DescriptionA flaw was found in the mod_auth_openidc module for Apache httpd. This flaw allows a remote, unauthenticated attacker to trigger a denial of service by sending an empty POST request when the OIDCPreservePost directive is enabled. The server crashes consistently, affecting availability.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1104484

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
libapache2-mod-auth-openidc (PTS)bullseye2.4.9.4-0+deb11u4vulnerable
bullseye (security)2.4.9.4-0+deb11u5vulnerable
bookworm2.4.12.3-2+deb12u2vulnerable
bookworm (security)2.4.12.3-2+deb12u3vulnerable
sid, trixie2.4.17-1vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
libapache2-mod-auth-openidcsource(unstable)(unfixed)1104484

Notes

https://bugzilla.redhat.com/show_bug.cgi?id=2361633
check upstream status
Search for package or bug name: Reporting problems