CVE-2025-54090
MEDIUM6.3EPSS 0.92%Apache HTTP Server: 'RewriteCond expr' always evaluates to true in 2.4.64
Published: 7/23/2025Modified: 4/28/2026
Description
A bug in Apache HTTP Server 2.4.64 results in all "RewriteCond expr ..." tests evaluating as "true". Users are recommended to upgrade to version 2.4.65, which fixes the issue.
Affected packages (3)
- Alpine/apache2from 0, < 2.4.65-r0
- Bitnami/apache>= 2.4.64, < 2.4.65
- Debian/apache2from 0, < 2.4.65-1
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM6.3 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L |
References (7)
- ADVISORYhttps://security.alpinelinux.org/vuln/CVE-2025-54090
- ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2025-54090
- WEBhttps://httpd.apache.org/security/vulnerabilities_24.html
- WEBhttps://lists.debian.org/debian-lts-announce/2025/08/msg00009.html
- WEBhttps://news.ycombinator.com/item?id=44666896
- WEBhttps://nvd.nist.gov/vuln/detail/CVE-2025-54090
- WEBhttp://www.openwall.com/lists/oss-security/2025/07/24/2