{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-53020", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "state": "PUBLISHED", "assignerShortName": "apache", "dateReserved": "2025-06-24T07:13:19.552Z", "datePublished": "2025-07-10T16:59:06.340Z", "dateUpdated": "2025-11-04T21:11:43.692Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Apache HTTP Server", "vendor": "Apache Software Foundation", "versions": [{"lessThanOrEqual": "2.4.63", "status": "affected", "version": "2.4.17", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Gal Bar Nahum"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>Late Release of Memory after Effective Lifetime vulnerability in Apache HTTP Server.</p><p>This issue affects Apache HTTP Server: from 2.4.17 up to 2.4.63.</p><p>Users are recommended to upgrade to version 2.4.64, which fixes the issue.</p>"}], "value": "Late Release of Memory after Effective Lifetime vulnerability in Apache HTTP Server.\n\nThis issue affects Apache HTTP Server: from 2.4.17 up to 2.4.63.\n\nUsers are recommended to upgrade to version 2.4.64, which fixes the issue."}], "metrics": [{"other": {"content": {"text": "moderate"}, "type": "Textual description of severity"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-401", "description": "CWE-401 Missing Release of Memory after Effective Lifetime", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2025-07-10T16:59:06.340Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://httpd.apache.org/security/vulnerabilities_24.html"}], "source": {"discovery": "UNKNOWN"}, "timeline": [{"lang": "en", "time": "2025-06-18T09:19:00.000Z", "value": "reported"}, {"lang": "en", "time": "2025-06-19T09:20:00.000Z", "value": "fix developed"}, {"lang": "en", "time": "2025-07-07T00:00:00.000Z", "value": "2.4.x revision 1927046"}], "title": "Apache HTTP Server: HTTP/2 DoS by Memory Increase", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2025-07-11T16:05:41.419033Z", "id": "CVE-2025-53020", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-07-15T19:56:07.763Z"}}, {"title": "CVE Program Container", "references": [{"url": "https://lists.debian.org/debian-lts-announce/2025/08/msg00009.html"}, {"url": "http://www.openwall.com/lists/oss-security/2025/07/10/10"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2025-11-04T21:11:43.692Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://lists.debian.org/debian-lts-announce/2025/08/msg00009.html"}, {"url": "http://www.openwall.com/lists/oss-security/2025/07/10/10"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2025-11-04T21:11:43.692Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2025-53020", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-07-11T16:05:41.419033Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-07-11T16:05:43.316Z"}}], "cna": {"title": "Apache HTTP Server: HTTP/2 DoS by Memory Increase", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "value": "Gal Bar Nahum"}], "metrics": [{"other": {"type": "Textual description of severity", "content": {"text": "moderate"}}}], "affected": [{"vendor": "Apache Software Foundation", "product": "Apache HTTP Server", "versions": [{"status": "affected", "version": "2.4.17", "versionType": "semver", "lessThanOrEqual": "2.4.63"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-06-18T09:19:00.000Z", "value": "reported"}, {"lang": "en", "time": "2025-06-19T09:20:00.000Z", "value": "fix developed"}, {"lang": "en", "time": "2025-07-07T00:00:00.000Z", "value": "2.4.x revision 1927046"}], "references": [{"url": "https://httpd.apache.org/security/vulnerabilities_24.html", "tags": ["vendor-advisory"]}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "Late Release of Memory after Effective Lifetime vulnerability in Apache HTTP Server.\n\nThis issue affects Apache HTTP Server: from 2.4.17 up to 2.4.63.\n\nUsers are recommended to upgrade to version 2.4.64, which fixes the issue.", "supportingMedia": [{"type": "text/html", "value": "<p>Late Release of Memory after Effective Lifetime vulnerability in Apache HTTP Server.</p><p>This issue affects Apache HTTP Server: from 2.4.17 up to 2.4.63.</p><p>Users are recommended to upgrade to version 2.4.64, which fixes the issue.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-401", "description": "CWE-401 Missing Release of Memory after Effective Lifetime"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2025-07-10T16:59:06.340Z"}}}, "cveMetadata": {"cveId": "CVE-2025-53020", "state": "PUBLISHED", "dateUpdated": "2025-11-04T21:11:43.692Z", "dateReserved": "2025-06-24T07:13:19.552Z", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "datePublished": "2025-07-10T16:59:06.340Z", "assignerShortName": "apache"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apache:http_server:*:*:*:*:*:*:*:*", "matchCriteriaId": "AD8F0C5C-64B1-4F7D-91B1-B2B87CD824B2", "versionEndExcluding": "2.4.64", "versionStartIncluding": "2.4.17", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Late Release of Memory after Effective Lifetime vulnerability in Apache HTTP Server.\n\nThis issue affects Apache HTTP Server: from 2.4.17 up to 2.4.63.\n\nUsers are recommended to upgrade to version 2.4.64, which fixes the issue."}, {"lang": "es", "value": "Vulnerabilidad de liberaci\u00f3n tard\u00eda de memoria tras el tiempo de vida \u00fatil efectivo en el servidor Apache HTTP. Este problema afecta al servidor Apache HTTP desde la versi\u00f3n 2.4.17 hasta la 2.4.63. Se recomienda actualizar a la versi\u00f3n 2.4.64, que soluciona el problema."}], "id": "CVE-2025-53020", "lastModified": "2025-11-04T22:16:21.183", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2025-07-10T17:15:48.337", "references": [{"source": "security@apache.org", "tags": ["Vendor Advisory"], "url": "https://httpd.apache.org/security/vulnerabilities_24.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.openwall.com/lists/oss-security/2025/07/10/10"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.debian.org/debian-lts-announce/2025/08/msg00009.html"}], "sourceIdentifier": "security@apache.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-401"}], "source": "security@apache.org", "type": "Secondary"}]}

{"bugzilla": {"description": "httpd: Apache HTTP Server Memory Exhaustion", "id": "2379343", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2379343"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.3", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "status": "draft"}, "cwe": "CWE-401", "details": ["A memory exhaustion flaw has been discovered in the Apache HTTP server. In some instances, the Apache HTTP server fails to free memory. Given sufficient time, this may lead to the host operating system killing the web server in order to reclaim memory."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2025-53020", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "httpd", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "httpd", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "httpd", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "httpd:2.4/httpd", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "httpd", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:jboss_core_services:1", "fix_state": "Fix deferred", "package_name": "httpd", "product_name": "Red Hat JBoss Core Services"}, {"cpe": "cpe:/a:redhat:jboss_core_services:1", "fix_state": "Fix deferred", "package_name": "jbcs-httpd24-httpd", "product_name": "Red Hat JBoss Core Services"}], "public_date": "2025-07-10T16:59:06Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-53020\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-53020\nhttps://httpd.apache.org/security/vulnerabilities_24.html"], "threat_severity": "Moderate"}

{"created": "2025-07-12T23:06:28.511117+00:00", "updated": "2025-07-12T23:06:28.511197+00:00", "vendors": ["apache", "apache$PRODUCT$apache_http_server"]}