CVE-2024-42516

CWE-20Improper Input ValidationCWE-11313 documents9 sources
Severity
7.5HIGH
EPSS
0.3%
top 43.45%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Apache Http ServerApache Software Foundation Apache Http Server
Timeline
PublishedJul 10
Latest updateJan 15

Description

HTTP response splitting in the core of Apache HTTP Server allows an attacker who can manipulate the Content-Type response headers of applications hosted or proxied by the server can split the HTTP response. This vulnerability was described as CVE-2023-38709 but the patch included in Apache HTTP Server 2.4.59 did not address the issue. Users are recommended to upgrade to version 2.4.64, which fixes this issue.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages5 packages

NVDapache/http_server2.4.02.4.64
Alpineapache2< 2.4.64-r0+4
Debianapache2< 2.4.65-1~deb11u1+3
Ubuntuapache2< 2.4.52-1ubuntu4.15+1

🔴Vulnerability Details

6
OSV
apache2 vulnerabilities2025-08-19
OSV
apache2 vulnerabilities2025-07-16
GHSA
GHSA-5j7h-7m92-jgh4: HTTP response splitting in the core of Apache HTTP Server allows an attacker who can manipulate the Content-Type response headers of applications host2025-07-10
OSV
CVE-2024-42516: HTTP response splitting in the core of Apache HTTP Server allows an attacker who can manipulate the Content-Type response headers of applications host2025-07-10
OSV
CVE-2024-42516: HTTP response splitting in the core of Apache HTTP Server allows an attacker who can manipulate the Content-Type response headers of applications host2025-07-10

📋Vendor Advisories

6
Oracle
Oracle Oracle Fusion Middleware Risk Matrix: Core (Apache HTTP Server) — CVE-2024-425162026-01-15
Ubuntu
Apache HTTP Server vulnerabilities2025-08-19
Ubuntu
Apache HTTP Server vulnerabilities2025-07-16
Red Hat
httpd: incomplete fix for CVE-2023-387092025-07-14
Microsoft
Apache HTTP Server: HTTP response splitting2025-07-08