| Package | libapache2-mod-auth-openidc |
|---|---|
| Version | 2.3.10.2-1+deb10u5 (buster) |
| Related CVEs | CVE-2025-3891 |
A vulnerability has been fixed in mod_auth_openidc, an OpenID Certified authentication and authorization module for the Apache 2.x HTTP server that implements the OpenID Connect Relying Party functionality.
An unauthenticated attacker can crash the Apache httpd process by sending a POST request without a Content-Type header when OIDCPreservePost is enabled in mod_auth_openidc. This leads to denial of service.
A workaround is to disable the OIDCPreservePost directive.
For Debian 10 buster, these problems have been fixed in version 2.3.10.2-1+deb10u5.
We recommend that you upgrade your libapache2-mod-auth-openidc packages.
Further information about Extended LTS security advisories can be found in the dedicated section of our website.