CVE-2025-54090 Overview
A logic flaw in Apache HTTP Server version 2.4.64 causes all RewriteCond expr ... tests to incorrectly evaluate as "true" regardless of the actual condition. This vulnerability affects the core URL rewriting functionality, potentially allowing attackers to bypass security controls that rely on conditional rewrite rules.
Critical Impact
Security controls implemented via Apache RewriteCond expressions are rendered ineffective, as all conditions evaluate to true. This could allow unauthorized access to protected resources or bypass access control mechanisms.
Affected Products
- Apache HTTP Server 2.4.64
Discovery Timeline
- July 23, 2025 - CVE-2025-54090 published to NVD
- November 4, 2025 - Last updated in NVD database
Technical Details for CVE-2025-54090
Vulnerability Analysis
This vulnerability falls under CWE-253 (Incorrect Check of Function Return Value), indicating that the Apache HTTP Server incorrectly handles the return value from expression evaluation functions within the mod_rewrite module. When administrators configure RewriteCond expr ... directives to enforce conditional URL rewriting logic, the server fails to properly evaluate these expressions.
The flaw is particularly concerning because administrators commonly use RewriteCond expressions to implement security controls such as IP-based access restrictions, referrer validation, and request header checks. With all expressions evaluating to true, these protective measures become completely ineffective.
Root Cause
The root cause stems from improper handling of expression evaluation return values in the mod_rewrite module of Apache HTTP Server 2.4.64. The bug causes the internal expression parser to return a truthy value for all RewriteCond expr ... tests, regardless of the actual evaluation logic. This represents a regression introduced in version 2.4.64 that breaks the expected behavior of conditional rewrite rules.
Attack Vector
This is a network-based vulnerability that can be exploited remotely without user interaction. Attackers can bypass security controls by sending requests that would normally be blocked by RewriteCond rules. For example:
If an administrator has configured rules to restrict access based on source IP addresses, geographic location, or specific HTTP headers, an attacker can circumvent these protections because the conditional checks always pass. The exploitation requires low privileges and can result in unauthorized access to protected resources, information disclosure, or integrity violations depending on what the RewriteCond rules were designed to protect.
For technical details on the vulnerability mechanism, refer to the Apache HTTP Vulnerabilities List and the OpenWall OSS Security Discussion.
Detection Methods for CVE-2025-54090
Indicators of Compromise
- Unexpected access to protected resources that should be restricted by RewriteCond rules
- Access log entries showing successful requests to URLs that should be blocked by conditional rewrite rules
- Increased traffic patterns to previously restricted endpoints
- Authentication bypass indicators in server logs
Detection Strategies
- Review Apache HTTP Server version using httpd -v or apachectl -v to identify if 2.4.64 is running
- Audit access logs for requests that should have been blocked by RewriteCond expressions
- Implement network monitoring to detect access patterns to protected resources
- Use file integrity monitoring to verify Apache configuration files haven't been modified
Monitoring Recommendations
- Enable detailed logging for mod_rewrite using RewriteLog and RewriteLogLevel directives to track rule evaluation
- Monitor access to sensitive endpoints that rely on RewriteCond-based access controls
- Set up alerts for unusual access patterns to protected resources
- Regularly audit Apache configuration files containing RewriteCond expr directives
How to Mitigate CVE-2025-54090
Immediate Actions Required
- Upgrade Apache HTTP Server from 2.4.64 to version 2.4.65 or later immediately
- Audit all Apache configuration files for RewriteCond expr ... directives to identify affected security controls
- Consider implementing alternative access control mechanisms (such as mod_authz_host or firewall rules) until the upgrade is complete
- Review access logs for evidence of unauthorized access during the exposure window
Patch Information
Apache has released version 2.4.65 which fixes this issue. Users running Apache HTTP Server 2.4.64 should upgrade immediately. Patch details and download links are available from the Apache HTTP Vulnerabilities List. Debian users can refer to the Debian LTS Security Announcement for distribution-specific updates.
Workarounds
- Replace RewriteCond expr ... directives with alternative conditional syntax such as standard RewriteCond variable tests
- Implement access controls using mod_authz_host or Require directives instead of RewriteCond expressions
- Deploy network-level access controls (firewall rules, WAF) to enforce restrictions that were previously handled by RewriteCond
- Consider temporarily disabling affected rewrite rules and implementing server-side application logic for critical security checks
# Check Apache version to determine if affected
httpd -v
# or
apachectl -v
# Upgrade to patched version (example for RHEL/CentOS)
yum update httpd
# Upgrade on Debian/Ubuntu
apt update && apt upgrade apache2
# After upgrade, restart Apache
systemctl restart httpd
# or
systemctl restart apache2
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
