CVE-2025-3891: 
Alma Linux vulnerability analysis and mitigation

A vulnerability (CVE-2025-3891) was discovered in the modauthopenidc module for Apache httpd, disclosed on April 29, 2025. The flaw affects Apache httpd installations with the modauthopenidc module when the OIDCPreservePost directive is enabled. This vulnerability impacts versions 2.0.0 through 2.4.13.1 of the module (Red Hat Bugzilla).

The vulnerability is classified as CWE-248 (Uncaught Exception) and has been assigned a CVSS v3.1 base score of 5.3 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L. The issue occurs when a POST request is sent without a Content-Type header while the OIDCPreservePost directive is enabled (NVD, Red Hat Bugzilla).

When exploited, this vulnerability results in a consistent server crash, leading to a denial of service condition that affects the availability of the Apache httpd service. The impact is particularly significant as it can be triggered by an unauthenticated attacker (NVD).

The issue has been fixed in modauthopenidc version 2.4.13.2 and later through a patch that addresses the missing Content-Type header handling. Red Hat has released security updates for affected versions through RHSA-2025:4597. Users are advised to upgrade to the patched versions (Red Hat Bugzilla, Red Hat Errata).