CVE-2023-25824

Public Exploit
mod_gnutls contains Infinite Loop on request read timeout

Description

Mod_gnutls is a TLS module for Apache HTTPD based on GnuTLS. Versions from 0.9.0 to 0.12.0 (including) did not properly fail blocking read operations on TLS connections when the transport hit timeouts. Instead it entered an endless loop retrying the read operation, consuming CPU resources. This could be exploited for denial of service attacks. If trace level logging was enabled, it would also produce an excessive amount of log output during the loop, consuming disk space. The problem has been fixed in commit d7eec4e598158ab6a98bf505354e84352f9715ec, please update to version 0.12.1. There are no workarounds, users who cannot update should apply the errno fix detailed in the security advisory.

Category

7.5
CVSS
Severity: High
CVSS 3.1 •
EPSS 0.39%
Vendor Advisory github.com
Affected: airtower-luna mod_gnutls
Published at:
Updated at:

References

Link Tags
https://github.com/airtower-luna/mod_gnutls/security/advisories/GHSA-6cfv-fvgm-7pc8 patch vendor advisory
https://github.com/airtower-luna/mod_gnutls/commit/d7eec4e598158ab6a98bf505354e84352f9715ec patch
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=942737#25 patch mailing list exploit mitigation third party advisory issue tracking

Frequently Asked Questions

What is the severity of CVE-2023-25824?
CVE-2023-25824 has been scored as a high severity vulnerability.
How to fix CVE-2023-25824?
To fix CVE-2023-25824, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2023-25824 being actively exploited in the wild?
It is possible that CVE-2023-25824 is being exploited or will be exploited in a near future based on public information. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2023-25824?
CVE-2023-25824 affects airtower-luna mod_gnutls.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.