CVE-2025-54090: 
Apache HTTP Server vulnerability analysis and mitigation

A vulnerability (CVE-2025-54090) was discovered in Apache HTTP Server version 2.4.64 where all 'RewriteCond expr' tests evaluate as 'true', regardless of the actual condition. The issue was reported on July 16, 2025, and was fixed with the release of version 2.4.65 on July 23, 2025. This vulnerability affects only Apache HTTP Server version 2.4.64 (Apache Security).

The vulnerability stems from a logic flaw in the handling of RewriteCond expressions where a code refactoring misunderstood the branching logic. The bug was introduced through a commit that incorrectly normalized rc >= 0 to CONDRCMATCH (1) when it should have normalized only rc > 0 to CONDRCMATCH, leaving 0 as CONDRCNOMATCH. The vulnerability has been assigned a CVSS v3.1 base score of 6.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L (NVD Database).

The vulnerability affects configurations using the 'RewriteCond expr' directive, causing all conditional tests to evaluate as true regardless of their intended logic. This could potentially lead to bypass of access controls, incorrect request routing, or unauthorized access to resources when RewriteCond expressions are used for security-related decisions (Apache Security).

Users are strongly recommended to upgrade to Apache HTTP Server version 2.4.65, which contains the fix for this vulnerability. No alternative workarounds have been provided (Apache Security).

The vulnerability has generated significant discussion in the security community, particularly regarding the importance of comprehensive testing for security-critical components. The Apache HTTP Server project has responded promptly by releasing a fix within a week of the vulnerability's discovery (Hacker News).