CVE-2024-43204

CWE-918 — Server-Side Request Forgery (SSRF)13 documents9 sources

Severity

7.5HIGH

EPSS

0.2%

top 53.74%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Http Server Apache Software Foundation Apache Http Server

Timeline

PublishedJul 10

Latest updateJan 15

Description

SSRF in Apache HTTP Server with mod_proxy loaded allows an attacker to send outbound proxy requests to a URL controlled by the attacker. Requires an unlikely configuration where mod_headers is configured to modify the Content-Type request or response header with a value provided in the HTTP request. Users are recommended to upgrade to version 2.4.64 which fixes this issue.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages5 packages

▶NVDapache/http_server2.4.0 — 2.4.64

▶CVEListV5apache_software_foundation/apache_http_server2.4.0 — 2.4.63

▶Alpineapache2< 2.4.64-r0+4

▶Debianapache2< 2.4.65-1~deb11u1+3

▶Ubuntuapache2< 2.4.52-1ubuntu4.15+1

🔴Vulnerability Details

OSV

apache2 vulnerabilities↗2025-08-19

▶

OSV

apache2 vulnerabilities↗2025-07-16

▶

OSV

CVE-2024-43204: SSRF in Apache HTTP Server with mod_proxy loaded allows an attacker to send outbound proxy requests to a URL controlled by the attacker↗2025-07-10

▶

CVEList

Apache HTTP Server: SSRF with mod_headers setting Content-Type header↗2025-07-10

▶

OSV

CVE-2024-43204: SSRF in Apache HTTP Server with mod_proxy loaded allows an attacker to send outbound proxy requests to a URL controlled by the attacker↗2025-07-10

▶

📋Vendor Advisories

Oracle

Oracle Oracle Fusion Middleware Risk Matrix: mod_proxy (Apache HTTP Server) — CVE-2024-43204↗2026-01-15

▶

Ubuntu

Apache HTTP Server vulnerabilities↗2025-08-19

▶

Ubuntu

Apache HTTP Server vulnerabilities↗2025-07-16

▶

Red Hat

httpd: SSRF in Apache HTTP Server with mod_proxy loaded↗2025-07-14

▶

Microsoft

Apache HTTP Server: SSRF with mod_headers setting Content-Type header↗2025-07-08

▶