Yoshihide, The CERT/CC advisory for this vulnerability (VU#767506) lists the Apache HTTP Server Project as "Not Affected":
https://kb.cert.org/vuls/id/767506 The project was notified on 2025-05-28 and the status was confirmed on 2025-08-13. Regarding the detection tool reporting a positive result — the tool may be detecting generic HTTP/2 behavior (like window management) that doesn't actually lead to the exploitable condition in httpd's case. The CERT/CC status is the authoritative determination from the project itself. Hope that helps, --Rich On 2026/03/12 08:13:42 "Yoshihide Ito (Fujitsu) via users" wrote: > Hello httpd users, > > I would like to ask for clarification on whether Apache HTTP Server is > affected by the publicly disclosed HTTP/2 issue “MadeYouReset” > (CVE-2025-8671), and specifically whether httpd 2.4.46 or later should be > considered vulnerable. [1][2] > > Our observations > > - We are aware that Apache httpd's HTTP/2 support is implemented via > mod_http2, and mod_http2 uses nghttp2 as its implementation base. [3] > > - The nghttp2 project discussed this CVE and indicated that > nghttp2 is not affected (see nghttp2 issue #2484). [4] > > - However, we ran the detection tool published by one of the researchers > (Gal Bar Nahum) against Apache HTTP Server 2.4.46 and 2.4.62 in “checker > mode”. > The tool reported that the “overflow-window” primitive appears to be > applicable / detected for this target. [5] > > Any pointers to prior discussion, documentation, or official statements > would be greatly appreciated. > > Thank you for your time and guidance. > > Best regards, > Yoshihide Ito > > > [1] CERT/CC VU#767506: https://kb.cert.org/vuls/id/767506 > [2] NVD CVE-2025-8671: https://nvd.nist.gov/vuln/detail/CVE-2025-8671 > [3] Apache httpd HTTP/2 guide (mod_http2 uses nghttp2): > https://httpd.apache.org/docs/2.4/howto/http2.html [httpd.apache.org] > [4] Tool by Gal Bar Nahum: https://github.com/galbarnahum/MadeYouReset > [5] nghttp2 issue #2484: https://github.com/nghttp2/nghttp2/issues/2484 > --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
