CVE-2025-31492

Name of the Vulnerable Software and Affected Versions mod auth openidc versions prior to 2.4.16.11

Description A bug in mod auth openidc results in disclosure of protected content to unauthenticated users. The conditions for disclosure include an OIDCProviderAuthRequestMethod POST, a valid account, and the absence of an application-level gateway or load balancer protecting the server. When requesting a protected resource, the response includes the HTTP status, HTTP headers, intended response, and protected resource without headers. The oidc content handler is called early but does not check for this specific case, leading to the handler returning DECLINED and httpd appending the protected content to the response.

Recommendations For mod auth openidc versions prior to 2.4.16.11, update to version 2.4.16.11 or later to resolve the issue. As a temporary workaround, consider restricting access to protected resources until the update can be applied.