CVE-2018-25169: Denial of Service Vulnerability in AMPPS 2.7
A denial of service (DoS) vulnerability in AMPPS 2.7 — a local development web server stack bundling Apache, MySQL, PHP, Perl, and Python — has been formally catalogued by the National Vulnerability Database as CVE-2018-25169, carrying a CVSS score of 7.5 (High).
The flaw enables remote attackers to crash the AMPPS service by establishing multiple socket connections and transmitting malformed or invalid payloads to the default HTTP port, exhausting server resources and rendering the service unavailable.
Vulnerability Overview
| Attribute | Value |
|---|---|
| CVE ID | CVE-2018-25169 |
| CVSS Score | 7.5 (High) |
| CWE Classification | CWE-400 — Uncontrolled Resource Consumption |
| Affected Software | AMPPS 2.7 |
| Attack Vector | Network (remote) |
| Authentication Required | None |
| Impact | Service crash / availability loss |
| NVD Published | March 6, 2026 |
| Original Flaw Discovery | 2018 |
About AMPPS
AMPPS (Ampps Multi-Platform PHP Stack) is a desktop application developed by Softaculous that provides developers with a local stack running Apache, MySQL/MariaDB, PHP, Perl, and Python for offline development and testing. It is primarily targeted at developers who need a quick local environment without configuring each component manually.
AMPPS is designed as a local development tool and is not intended for use as an internet-facing production server. However, misconfigured installations accessible on a local network or from the internet represent an attack surface.
Technical Details
The vulnerability exists in AMPPS 2.7's HTTP server component. By:
- Establishing multiple concurrent socket connections to the default HTTP port
- Transmitting malformed or invalid data payloads that the server fails to handle gracefully
...an attacker can trigger resource exhaustion, causing the service to become unresponsive or crash.
This class of vulnerability (CWE-400 — Uncontrolled Resource Consumption) typically results from:
- Lack of connection rate limiting
- Absence of payload size or malformation checks
- Inadequate timeout and cleanup handling for invalid connections
Risk Context
The practical risk from CVE-2018-25169 is limited by the typical deployment context of AMPPS:
| Factor | Assessment |
|---|---|
| Intended use | Local development only — not for production |
| Network exposure | Low if firewall properly configured |
| Authentication bypass | N/A — DoS only; no code execution |
| Active exploitation | No known in-the-wild exploitation |
| Software currency | AMPPS 2.7 is an older version |
The main risk exists where developers run AMPPS on machines that are inadvertently accessible from a local network or the internet — for example, on shared office networks, cloud VMs used for development, or systems with firewall rules that expose the HTTP port.
Remediation
- Upgrade AMPPS to the latest available version — newer releases address known vulnerabilities and improve resource handling
- Restrict network access — bind AMPPS only to
127.0.0.1(localhost) rather than0.0.0.0, preventing external connections - Firewall the HTTP port — block inbound connections to the AMPPS HTTP port from untrusted networks
- Disable AMPPS when not in use — as a local development tool, the service should only be running during active development sessions
Quick network restriction (Apache httpd.conf):
# Restrict Apache to listen only on localhost
Listen 127.0.0.1:80Key Takeaways
- CVE-2018-25169 is a denial of service vulnerability in AMPPS 2.7, now formally listed in NVD with CVSS 7.5 (High)
- Remote attackers can crash the service via malformed payloads on the default HTTP port — no authentication required
- Practical risk is low for properly configured local development setups, but elevated where AMPPS is inadvertently network-accessible
- Remediation: Upgrade to a current AMPPS version, restrict binding to localhost, and firewall the HTTP port from untrusted networks