CVE-2025-31492 Apache mod_auth_openidc Vulnerability #

In a recently published security advisory, OpenIDC has revealed a vulnerability in mod_auth_openidc, the widely used OpenID Connect module for the Apache HTTP server. The flaw, tracked as CVE-2025-31492 and rated 8.2 on the CVSSv4 scale, allows unauthenticated users to access protected web content under specific conditions—potentially undermining the security of applications relying on OpenID authentication mechanisms.
The vulnerability specifically affects systems configured with the directive OIDCProviderAuthRequestMethod POST and a Require valid-user authentication policy, without an application-level gateway (such as a reverse proxy or load balancer) in place. Under these circumstances, mod_auth_openidc fails to adequately prevent unauthorized access to protected pages.
As the advisory notes: “A bug in a mod_auth_openidc results in disclosure of protected content to unauthenticated users.”
The bug stems from the way the module interacts with Apache’s internal request handling logic. When a user accesses a protected resource, the server returns a multipart response. This includes not only the expected HTTP status and headers, but also an authentication form and the protected page’s content— even though the user is not yet authenticated.
The problem arises because the module’s oidc_content_handler fails to check for this specific request pattern and inadvertently allows Apache to append unauthorized content to the response.
According to the advisory: “It is hard to notice the error if you’re using an HTTP library to do requests – the invalid data will be silently dropped, a new connection will be created, and the end-user remains none the wiser.”
This makes traditional testing and logging ineffective in spotting the leak, increasing the risk of undetected data exposure.
Organizations using mod_auth_openidc version prior to 2.4.16.11 with the POST authentication method and no protective gateway are at risk. The bug particularly impacts scenarios where authentication happens inline and applications are directly exposed to the public web.
A fix has been released in mod_auth_openidc version 2.4.16.11, which addresses the oversight in oidc_content_handler. OpenIDC also recommends alternative mitigations for those unable to immediately patch:
Switch to GET: Using OIDCProviderAuthRequestMethod GET (the default) avoids triggering the bug.Add a Gateway: Deploying an application-level gateway or reverse proxy conceals the erroneous data from unauthenticated users.As the advisory emphasizes: “If there is an application-level gateway protecting the server, it mitigates the problem by hiding the extra content from the outside world.”