CVE-2025-49812: 
Apache HTTP Server vulnerability analysis and mitigation

In some modssl configurations on Apache HTTP Server versions through to 2.4.63, an HTTP desynchronisation attack allows a man-in-the-middle attacker to hijack an HTTP session via a TLS upgrade. The vulnerability affects configurations using "SSLEngine optional" to enable TLS upgrades. The issue was discovered in July 2025 and assigned identifier CVE-2025-49812 ([Apache Security](https://httpd.apache.org/security/vulnerabilities24.html)).

The vulnerability exists in the mod_ssl module of Apache HTTP Server and specifically affects configurations where "SSLEngine optional" is enabled to allow TLS upgrades. The issue has been assigned a CVSS v3.1 Base Score of 7.4 (HIGH) with vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N, indicating high impact on confidentiality and integrity but no impact on availability. The vulnerability is classified under CWE-287 (Improper Authentication) (NVD Database).

When successfully exploited, this vulnerability allows a man-in-the-middle attacker to hijack HTTP sessions during TLS upgrade processes. This can lead to unauthorized access to sensitive information and potential session takeover (Apache Security, Ubuntu Security).

Users are strongly recommended to upgrade to Apache HTTP Server version 2.4.64, which completely removes support for TLS upgrade to address this vulnerability. The fix involves removing the old "SSLEngine optional" configuration option, which may require configuration changes in certain environments (Apache Security, Ubuntu Security).