mod_auth_openidc is an OpenID Certified authentication and authorization module for the Apache 2.x HTTP server that implements the OpenID Connect Relying Party functionality. Prior to 2.4.16.11, a bug in a mod_auth_openidc results in disclosure of protected content to unauthenticated users. The conditions for disclosure are an OIDCProviderAuthRequestMethod POST, a valid account, and there mustn't be any application-level gateway (or load balancer etc) protecting the server. When you request a protected resource, the response includes the HTTP status, the HTTP headers, the intended response (the self-submitting form), and the protected resource (with no headers). This is an example of a request for a protected resource, including all the data returned. In the case where mod_auth_openidc returns a form, it has to return OK from check_userid so as not to go down the error path in httpd. This means httpd will try to issue the protected resource. oidc_content_handler is called early, which has the opportunity to prevent the normal output being issued by httpd. oidc_content_handler has a number of checks for when it intervenes, but it doesn't check for this case, so the handler returns DECLINED. Consequently, httpd appends the protected content to the response. The issue has been patched in mod_auth_openidc versions >= 2.4.16.11.

redhat RHSA-2025:4228: RHSA-2025:4228: mod_auth_openidc:2.3 security update (Important)

Security Update for mod_auth_openidc

The remote Redhat Enterprise Linux 9 host has a package installed that is affected by a vulnerability as referenced in the RHSA-2025:4225 advisory.

    The mod_auth_openidc is an OpenID Connect authentication module for Apache HTTP Server. It enables an     Apache HTTP Server to operate as an OpenID Connect Relying Party and/or OAuth 2.0 Resource Server.

    Security Fix(es):

    * mod_auth_openidc: mod_auth_openidc allows OIDCProviderAuthRequestMethod POSTs to leak protected data     (CVE-2025-31492)

    For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and     other related information, refer to the CVE page(s) listed in the References section.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2025:4227 advisory.

    The mod_auth_openidc is an OpenID Connect authentication module for Apache HTTP Server. It enables an     Apache HTTP Server to operate as an OpenID Connect Relying Party and/or OAuth 2.0 Resource Server.

    Security Fix(es):

    * mod_auth_openidc: mod_auth_openidc allows OIDCProviderAuthRequestMethod POSTs to leak protected data     (CVE-2025-31492)

    For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and     other related information, refer to the CVE page(s) listed in the References section.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 9 host has a package installed that is affected by a vulnerability as referenced in the RHSA-2025:4224 advisory.

    The mod_auth_openidc is an OpenID Connect authentication module for Apache HTTP Server. It enables an     Apache HTTP Server to operate as an OpenID Connect Relying Party and/or OAuth 2.0 Resource Server.

    Security Fix(es):

    * mod_auth_openidc: mod_auth_openidc allows OIDCProviderAuthRequestMethod POSTs to leak protected data     (CVE-2025-31492)

    For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and     other related information, refer to the CVE page(s) listed in the References section.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2025:4192 advisory.

    The mod_auth_openidc is an OpenID Connect authentication module for Apache HTTP Server. It enables an     Apache HTTP Server to operate as an OpenID Connect Relying Party and/or OAuth 2.0 Resource Server.

    Security Fix(es):

    * mod_auth_openidc: mod_auth_openidc allows OIDCProviderAuthRequestMethod POSTs to leak protected data     (CVE-2025-31492)

    For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and     other related information, refer to the CVE page(s) listed in the References section.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Ubuntu 22.04 LTS / 24.04 LTS / 24.10 / 25.04 host has a package installed that is affected by a vulnerability as referenced in the USN-7446-1 advisory.

    It was discovered that mod_auth_openidc incorrectly handled certain POST requests. An attacker could     possibly use this issue to obtain sensitive information.

Tenable has extracted the preceding description block directly from the Ubuntu security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2025:3997 advisory.

    The mod_auth_openidc is an OpenID Connect authentication module for Apache HTTP Server. It enables an     Apache HTTP Server to operate as an OpenID Connect Relying Party and/or OAuth 2.0 Resource Server.

    Security Fix(es):

    * mod_auth_openidc: mod_auth_openidc allows OIDCProviderAuthRequestMethod POSTs to leak protected data     (CVE-2025-31492)

    For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and     other related information, refer to the CVE page(s) listed in the References section.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2025:4128 advisory.

    The mod_auth_openidc is an OpenID Connect authentication module for Apache HTTP Server. It enables an     Apache HTTP Server to operate as an OpenID Connect Relying Party and/or OAuth 2.0 Resource Server.

    Security Fix(es):

    * mod_auth_openidc: mod_auth_openidc allows OIDCProviderAuthRequestMethod POSTs to leak protected data     (CVE-2025-31492)

    For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and     other related information, refer to the CVE page(s) listed in the References section.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Oracle Linux 8 host has packages installed that are affected by a vulnerability as referenced in the ELSA-2025-3997 advisory.

    cjose     mod_auth_openidc     [2.4.9.4-7]
    - Resolves: RHEL-86218 - mod_auth_openidc allows OIDCProviderAuthRequestMethod                 POSTs to leak protected data (CVE-2025-31492)

Tenable has extracted the preceding description block directly from the Oracle Linux security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote AlmaLinux 8 host has packages installed that are affected by a vulnerability as referenced in the ALSA-2025:3997 advisory.

    * mod_auth_openidc: mod_auth_openidc allows OIDCProviderAuthRequestMethod POSTs to leak protected data     (CVE-2025-31492)

Tenable has extracted the preceding description block directly from the AlmaLinux security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 9 host has a package installed that is affected by a vulnerability as referenced in the RHSA-2025:3945 advisory.

    The mod_auth_openidc is an OpenID Connect authentication module for Apache HTTP Server. It enables an     Apache HTTP Server to operate as an OpenID Connect Relying Party and/or OAuth 2.0 Resource Server.

    Security Fix(es):

    * mod_auth_openidc: mod_auth_openidc allows OIDCProviderAuthRequestMethod POSTs to leak protected data     (CVE-2025-31492)

    For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and     other related information, refer to the CVE page(s) listed in the References section.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SLES12 host has a package installed that is affected by a vulnerability as referenced in the SUSE- SU-2025:1337-1 advisory.

    - CVE-2025-31492: Fixed a bug where OIDCProviderAuthRequestMethod POSTs can leak protected data.
    (bsc#1240893)

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Fedora 40 host has a package installed that is affected by a vulnerability as referenced in the FEDORA-2025-80600b51c5 advisory.

    REbase mod_auth_openidc-2.4.16.11 resolves CVE-2025-31492 - mod_auth_openidc allows     OIDCProviderAuthRequestMethod POSTs to leak protected data


Tenable has extracted the preceding description block directly from the Fedora security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Fedora 41 host has a package installed that is affected by a vulnerability as referenced in the FEDORA-2025-7d661758bd advisory.

    REbase mod_auth_openidc-2.4.16.11 resolves CVE-2025-31492 - mod_auth_openidc allows     OIDCProviderAuthRequestMethod POSTs to leak protected data


Tenable has extracted the preceding description block directly from the Fedora security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Debian 12 host has a package installed that is affected by a vulnerability as referenced in the dsa-5904 advisory.

    - -------------------------------------------------------------------------     Debian Security Advisory DSA-5904-1                   security@debian.org     https://www.debian.org/security/                       Moritz Muehlenhoff     April 17, 2025                        https://www.debian.org/security/faq
    - -------------------------------------------------------------------------

    Package        : libapache2-mod-auth-openidc     CVE ID         : CVE-2025-31492

    It was discovered that mod_auth_openidc, an OpenID Certified     authentication and authorization module for the Apache HTTP server that     implements the OpenID Connect Relying Party functionality, was     susceptible to information disclosure in some configurations

    For the stable distribution (bookworm), this problem has been fixed in     version 2.4.12.3-2+deb12u3.

    We recommend that you upgrade your libapache2-mod-auth-openidc packages.

    For the detailed security status of libapache2-mod-auth-openidc please refer to     its security tracker page at:
    https://security-tracker.debian.org/tracker/libapache2-mod-auth-openidc

    Further information about Debian Security Advisories, how to apply     these updates to your system and frequently asked questions can be     found at: https://www.debian.org/security/

    Mailing list: debian-security-announce@lists.debian.org

Tenable has extracted the preceding description block directly from the Debian security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Debian 11 host has a package installed that is affected by a vulnerability as referenced in the dla-4129 advisory.

    -------------------------------------------------------------------------     Debian LTS Advisory DLA-4129-1                debian-lts@lists.debian.org     https://www.debian.org/lts/security/                       Moritz Schlarb     April 17, 2025                                https://wiki.debian.org/LTS
    -------------------------------------------------------------------------

    Package        : libapache2-mod-auth-openidc     Version        : 2.4.9.4-0+deb11u5     CVE ID         : CVE-2025-31492     Debian Bug     : 1102413

    A vulnerability has been fixed in mod_auth_openidc, an OpenID Certified     authentication and authorization module for the Apache 2.x HTTP server     that implements the OpenID Connect Relying Party functionality.

    The bug in mod_auth_openidc results in disclosure of protected content to     unauthenticated users.
    The conditions for disclosure are the following directives:
        OIDCProviderAuthRequestMethod POST         Require valid-user     and there mustn't be any application-level gateway (or load balancer etc)     protecting the server.
    When you request a protected resource, the response includes the HTTP     status, the HTTP headers, the intended response (the self-submitting     form), *and the protected resource (with no headers)*.
    The patch fixing this issue has been backported from mod_auth_openidc     2.4.16.11.

    For Debian 11 bullseye, this problem has been fixed in version     2.4.9.4-0+deb11u5.

    We recommend that you upgrade your libapache2-mod-auth-openidc packages.

    For the detailed security status of libapache2-mod-auth-openidc please refer to     its security tracker page at:
    https://security-tracker.debian.org/tracker/libapache2-mod-auth-openidc

    Further information about Debian LTS security advisories, how to apply     these updates to your system and frequently asked questions can be     found at: https://wiki.debian.org/LTS     Attachment:
    signature.asc     Description: This is a digitally signed message part

Tenable has extracted the preceding description block directly from the Debian security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SLES15 / SLES_SAP15 host has a package installed that is affected by a vulnerability as referenced in the SUSE-SU-2025:1324-1 advisory.

    - CVE-2025-31492: Fixed a bug where OIDCProviderAuthRequestMethod POSTs can leak protected data.
    (bsc#1240893)

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SLES15 / SLES_SAP15 / openSUSE 15 host has a package installed that is affected by a vulnerability as referenced in the SUSE-SU-2025:1286-1 advisory.

    - CVE-2025-31492: Fixed a bug where OIDCProviderAuthRequestMethod POSTs can leak protected data.
    (bsc#1240893)

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available.

  - mod_auth_openidc is an OpenID Certified authentication and authorization module for the Apache 2.x HTTP     server that implements the OpenID Connect Relying Party functionality. Prior to 2.4.16.11, a bug in a     mod_auth_openidc results in disclosure of protected content to unauthenticated users. The conditions for     disclosure are an OIDCProviderAuthRequestMethod POST, a valid account, and there mustn't be any     application-level gateway (or load balancer etc) protecting the server. When you request a protected     resource, the response includes the HTTP status, the HTTP headers, the intended response (the self-     submitting form), and the protected resource (with no headers). This is an example of a request for a     protected resource, including all the data returned. In the case where mod_auth_openidc returns a form, it     has to return OK from check_userid so as not to go down the error path in httpd. This means httpd will try     to issue the protected resource. oidc_content_handler is called early, which has the opportunity to     prevent the normal output being issued by httpd. oidc_content_handler has a number of checks for when it     intervenes, but it doesn't check for this case, so the handler returns DECLINED. Consequently, httpd     appends the protected content to the response. The issue has been patched in mod_auth_openidc versions >=     2.4.16.11. (CVE-2025-31492)

Note that Nessus relies on the presence of the package as reported by the vendor.

ID	Name	Product	Family	Severity
234889	RHEL 9 : mod_auth_openidc (RHSA-2025:4225)	Nessus	Red Hat Local Security Checks	high
234888	RHEL 8 : mod_auth_openidc:2.3 (RHSA-2025:4227)	Nessus	Red Hat Local Security Checks	high
234886	RHEL 9 : mod_auth_openidc (RHSA-2025:4224)	Nessus	Red Hat Local Security Checks	high
234808	RHEL 8 : mod_auth_openidc:2.3 (RHSA-2025:4192)	Nessus	Red Hat Local Security Checks	high
234775	Ubuntu 22.04 LTS / 24.04 LTS / 24.10 / 25.04 : mod_auth_openidc vulnerability (USN-7446-1)	Nessus	Ubuntu Local Security Checks	high
234771	RHEL 8 : mod_auth_openidc:2.3 (RHSA-2025:3997)	Nessus	Red Hat Local Security Checks	high
234768	RHEL 8 : mod_auth_openidc:2.3 (RHSA-2025:4128)	Nessus	Red Hat Local Security Checks	high
234722	Oracle Linux 8 : mod_auth_openidc:2.3 (ELSA-2025-3997)	Nessus	Oracle Linux Local Security Checks	high
234712	AlmaLinux 8 : mod_auth_openidc:2.3 (ALSA-2025:3997)	Nessus	Alma Linux Local Security Checks	high
234650	RHEL 9 : mod_auth_openidc (RHSA-2025:3945)	Nessus	Red Hat Local Security Checks	high
234614	SUSE SLES12 Security Update : apache2-mod_auth_openidc (SUSE-SU-2025:1337-1)	Nessus	SuSE Local Security Checks	high
234592	Fedora 40 : mod_auth_openidc (2025-80600b51c5)	Nessus	Fedora Local Security Checks	high
234585	Fedora 41 : mod_auth_openidc (2025-7d661758bd)	Nessus	Fedora Local Security Checks	high
234575	Debian dsa-5904 : libapache2-mod-auth-openidc - security update	Nessus	Debian Local Security Checks	high
234574	Debian dla-4129 : libapache2-mod-auth-openidc - security update	Nessus	Debian Local Security Checks	high
234540	SUSE SLES15 Security Update : apache2-mod_auth_openidc (SUSE-SU-2025:1324-1)	Nessus	SuSE Local Security Checks	high
234483	SUSE SLES15 / openSUSE 15 Security Update : apache2-mod_auth_openidc (SUSE-SU-2025:1286-1)	Nessus	SuSE Local Security Checks	high
234195	Linux Distros Unpatched Vulnerability : CVE-2025-31492	Nessus	Misc.	medium

Detections

Analytics

CVE-2025-31492

high

Tenable Plugins

Coming Soon

high

high

high

high

high

high

high

high

high

high

high

high

high

high

high

high

high

medium