Date: 2025-04-28 Updated: 2025-05-29
mod_auth_openidc information leak vulnerability
HIGH risk vulnerability in mod_auth_openidc where information may be leaked in mod_auth_openidc, an OpenID Certified authentication and authorization module for the Apache 2.x HTTP server that implements the OpenID Connect Relying Party functionality. [R 1], [R 2]
EGI SVG ID : EGI-SVG-2025-06
CVE ID : CVE-2025-31492
CVSS Score : 8.2 [R 1] / 7.5 [R 3]
Sites are recommended to update relevant components as soon as possible, using information in references below.
This component is used in various places in EGI, including the EGI Fed Cloud authentication.
Keystone (OpenStack identity service) uses it.
There is also the possibility that the risk may be elevated to ‘Critical’ given a public exploit and unauthenticated access and sites will then be required to patch or have mitigation in place within 7 days or risk suspension.
Some possibilities for mitigation are given in references below.
Also see references below for more information.
TLP:CLEAR information - Unlimited distribution
https://advisories.egi.eu/Advisory-EGI-SVG-2025-06
https://advisories.egi.eu/Advisory-SVG-CVE-2025-31492
Minor updates may be made without re-distribution to the sites.
This advisory is subject to the Creative Commons licence
https://creativecommons.org/licenses/by/4.0/ and
the EGI (https://www.egi.eu/) Software Vulnerability Group
must be credited. -----------------------------
Comments or questions should be sent to svg-rat at mailman.egi.eu
Vulnerabilities relevant for EGI can be reported at report-vulnerability at egi.eu
(see [R 99] for further details, and other information on SVG)
[R 2] https://lists.debian.org/debian-lts-announce/2025/04/msg00025.html
[R 4] https://security-tracker.debian.org/tracker/CVE-2025-31492
[R 6] https://github.com/OpenIDC/mod_auth_openidc/security/advisories/GHSA-59jp-rwph-878r
[R 6] https://errata.build.resf.org/ (RockyLinux)
[R 7] https://errata.almalinux.org/ (AlmaLinux)
[R 99] https://confluence.egi.eu/display/EGIBG/SVG+Advisories
SVG was alerted to this vulnerability by Enol Fernández