CVE-2025-3891

A flaw was found in the modauthopenidc module for Apache httpd. This flaw allows a remote, unauthenticated attacker to trigger a denial of service by sending an empty POST request when the OIDCPreservePost directive is enabled. The server crashes consistently, affecting availability.

References

Affected packages

Debian:11 / libapache2-mod-auth-openidc

Package

Name: libapache2-mod-auth-openidc
Purl: pkg:deb/debian/libapache2-mod-auth-openidc?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.4.9.4-0+deb11u6

Affected versions

2.*

2.4.9-1

2.4.9.4-0+deb11u1

2.4.9.4-0+deb11u2

2.4.9.4-0+deb11u3

2.4.9.4-0+deb11u4

2.4.9.4-0+deb11u5

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / libapache2-mod-auth-openidc

Package

Name: libapache2-mod-auth-openidc
Purl: pkg:deb/debian/libapache2-mod-auth-openidc?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.4.12.3-2+deb12u4

Affected versions

2.*

2.4.12.3-2

2.4.12.3-2+deb12u1

2.4.12.3-2+deb12u2

2.4.12.3-2+deb12u3

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / libapache2-mod-auth-openidc

Package

Name: libapache2-mod-auth-openidc
Purl: pkg:deb/debian/libapache2-mod-auth-openidc?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.4.14.2-1

Affected versions

2.*

2.4.12.3-2

Ecosystem specific

{
    "urgency": "not yet assigned"
}