A critical flaw in Apache mod_auth_openidc (versions ≤2.4.16.10) allows unauthenticated attackers to bypass authentication and access protected resources.
The bug, CVE-2025-31492, patched in version 2.4.16.11, affects systems using OIDCProviderAuthRequestMethod POST without an application-level gateway or load balancer.
The vulnerability stems from improper handling of authentication requests when the POST method is configured. Under specific conditions:
Attackers triggering a request to a protected resource receive a dual response:
For example, a GET /foo/ request returns a 200 OK response containing both the OIDC login form and the restricted page (e.g., <h1>Protected page</h1>).
Sample Request and Response
Request:
textGET /foo/ HTTP/1.1
Accept: */*
Host: xxxxxxxxxxxxxxxxxxxxxxxx
Response:
HTTP/1.1 200 OK
Date: Wed, 09 Apr 2025 14:54:43 GMT
Server: Apache/2.4.63 (Unix) OpenSSL/3.0.2
Set-Cookie: mod_auth_openidc_state_Zjv-eHqSy08Do6CPJXYD-j_BJFk=eyJhbGciOiAiZGlyIiwgImVuYyI6ICJBMjU2R0NNIn0..DBQVvz1XSoTv7Pw0.d-DFmTTyBeu9nfGm0xaiJLBhsLSZLU4_PgpMwZi0-YmzzARn8sxjxuQc1yPiWMJ8Y0nCkyRP-VIn6VeOFNoHeKzIror1AMW5h1Wop0yky72x-o49Pc4SVKsF1T6p2jw8mZHow9VEC-HIaQilyzEBz5xoXp890KS5ih88NDj2nTulNOmQ56g_51osYx5N0sx-_i-EUsLNlxNgKXax37OckWtCzXCHT-TqYS5PJDoAQ6RAPGvgVnF48Nz9a0EN5aDhZfHQjIH46tjhca748A-Ft1LyMx3m3hkk3fU.fWYAzT6ukboFUu1EBUlKCg; Path=/; Secure; HttpOnly; SameSite=Lax
Content-Length: 1139
Content-Type: text/html
Most HTTP libraries discard malformed multipart data, but raw requests reveal the leaked content.
Maintainer zandbelt addressed the issue by enhancing the oidc_content_handler to block unintended content appends.
Organizations are urged to act swiftly, as proof-of-concept exploits could emerge rapidly.
This vulnerability highlights the risks of misconfigured authentication workflows in critical infrastructure.
Administrators should prioritize patches and review OIDC configurations to prevent similar exposures.
Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!
A new project has exposed a critical attack vector that exploits protocol vulnerabilities to disrupt…
A threat actor known as #LongNight has reportedly put up for sale remote code execution…
Ivanti disclosed two critical vulnerabilities, identified as CVE-2025-4427 and CVE-2025-4428, affecting Ivanti Endpoint Manager Mobile…
Hackers are increasingly targeting macOS users with malicious clones of Ledger Live, the popular application…
The European Union has escalated its response to Russia’s ongoing campaign of hybrid threats, announcing…
Venice.ai has rapidly emerged as a disruptive force in the AI landscape, positioning itself as…