Apache Httpd vulnerabilities

CVE-2024-27316 Apache httpd: CVE-2024-27316 Apache httpd: CVE-2024-27316 HTTP/2 incoming headers exceeding the limit are temporarily buffered in nghttp2 in order to generate an informative HTTP 413 response. If a client does not stop sending headers, this leads to memory exhaustion. Acknowledgements: finder: Bartek Nowotarski (https://nowotarski.info/) Reported to security team 2024-02-22 Update 2.4.59 released 2024-04-04 Affects 2.4.17 through 2.4.58 Severity: moderate Affected versions: 2.4.58

CVE-2024-39573 Apache httpd: CVE-2024-39573 Apache httpd: CVE-2024-39573 Potential SSRF in mod_rewrite in Apache HTTP Server 2.4.59 and earlier allows an attacker to cause unsafe RewriteRules to unexpectedly setup URL's to be handled by mod_proxy. Users are recommended to upgrade to version 2.4.60, which fixes this issue. Acknowledgements: finder: Orange Tsai (@orange_8361) from DEVCORE Reported to security team 2024-04-01 Update 2.4.60 released 2024-07-01 Affects 2.4.0 through 2.4.59 Severity:

CVE-2022-37436 Apache httpd: CVE-2022-37436 Apache httpd: CVE-2022-37436 Prior to Apache HTTP Server 2.4.55, a malicious backend can cause the response headers to be truncated early, resulting in some headers being incorporated into the response body. If the later headers have any security purpose, they will not be interpreted by the client. Acknowledgements: finder: Dimas Fariski Setyawan Putra (@nyxsorcerer) Reported to security team 2022-07-14 Update 2.4.55 released 2023-01-17 Affects before

CVE-2011-3348 Apache httpd: CVE-2011-3348 Apache httpd: CVE-2011-3348 A flaw was found when mod_proxy_ajp is used together with mod_proxy_balancer. Given a specific configuration, a remote attacker could send certain malformed HTTP requests, putting a backend server into an error state until the retry timeout expired. This could lead to a temporary denial of service. Reported to security team 2011-09-07 Issue public 2011-09-14 Update 2.2.21 released 2011-09-14 Affects 2.2.20, 2.2.19, 2.2.18, 2.2

CVE-2025-54090 Apache httpd: CVE-2025-54090 Apache httpd: CVE-2025-54090 A bug in Apache HTTP Server 2.4.64 results in all "RewriteCond expr ..." tests evaluating as "true". Users are recommended to upgrade to version 2.4.65, which fixes the issue. Reported to security team 2025-07-16 Update 2.4.65 released 2025-07-23 Affects 2.4.64 Severity: moderate Affected versions: 2.4.65,

CVE-2025-53020 Apache httpd: CVE-2025-53020 Apache httpd: CVE-2025-53020 Late Release of Memory after Effective Lifetime vulnerability in Apache HTTP Server. This issue affects Apache HTTP Server: from 2.4.17 up to 2.4.63. Users are recommended to upgrade to version 2.4.64, which fixes the issue. Acknowledgements: finder: Gal Bar Nahum Reported to security team 2025-06-18 fix developed 2025-06-19 Update 2.4.64 released 2025-07-10 Affects 2.4.17 through 2.4.63 Severity: moderate Affected versions

CVE-2020-11993 Apache httpd: CVE-2020-11993 Apache httpd: CVE-2020-11993 In Apache HTTP Server versions 2.4.20 to 2.4.43, when trace/debug was enabled for the HTTP/2 module and on certain traffic edge patterns, logging statements were made on the wrong connection, causing concurrent use of memory pools. Configuring the LogLevel of mod_http2 above "info" will mitigate this vulnerability for unpatched servers. Acknowledgements: Felix Wilhelm of Google Project Zero Reported to security team 2020-06

CVE-2011-0419 Apache httpd: CVE-2011-0419 Apache httpd: CVE-2011-0419 A flaw was found in the apr_fnmatch() function of the bundled APR library. Where mod_autoindex is enabled, and a directory indexed by mod_autoindex contained files with sufficiently long names, a remote attacker could send a carefully crafted request which would cause excessive CPU usage. This could be used in a denial of service attack. Workaround: Setting the 'IgnoreClient' option to the 'IndexOptions' directive disables pro

CVE-2023-27522 Apache httpd: CVE-2023-27522 Apache httpd: CVE-2023-27522 HTTP Response Smuggling vulnerability in Apache HTTP Server via mod_proxy_uwsgi. This issue affects Apache HTTP Server: from 2.4.30 through 2.4.55. Special characters in the origin response header can truncate/split the response forwarded to the client. Acknowledgements: finder: Dimas Fariski Setyawan Putra (nyxsorcerer) Reported to security team 2023-01-29 fixed by r1908094 in 2.4.x 2023-03-07 Update 2.4.56 released 2023-0

CVE-2025-66200 Apache httpd: CVE-2025-66200 Apache httpd: CVE-2025-66200 mod_userdir+suexec bypass via AllowOverride FileInfo vulnerability in Apache HTTP Server. Users with access to use the RequestHeader directive in htaccess can cause some CGI scripts to run under an unexpected userid. This issue affects Apache HTTP Server: from 2.4.7 through 2.4.65. Users are recommended to upgrade to version 2.4.66, which fixes the issue. Acknowledgements: finder: Mattias Åsander (Umeå University) Reported

CVE-2007-3847 Apache httpd: CVE-2007-3847 Apache httpd: CVE-2007-3847 A flaw was found in the Apache HTTP Server mod_proxy module. On sites where a reverse proxy is configured, a remote attacker could send a carefully crafted request that would cause the Apache child process handling that request to crash. On sites where a forward proxy is configured, an attacker could cause a similar crash if a user could be persuaded to visit a malicious site using the proxy. This could lead to a denial of ser

CVE-2018-8011 Apache httpd: CVE-2018-8011 Apache httpd: CVE-2018-8011 By specially crafting HTTP requests, the mod_md challenge handler would dereference a NULL pointer and cause the child process to segfault. This could be used to DoS the server. Acknowledgements: The issue was discovered by Daniel Caminada . Reported to security team 2018-06-29 Issue public 2018-07-18 Update 2.4.34 released 2018-07-15 Affects 2.4.33 Severity: moderate

CVE-2012-4558 Apache httpd: CVE-2012-4558 Apache httpd: CVE-2012-4558 A XSS flaw affected the mod_proxy_balancer manager interface. Acknowledgements: This issue was reported by Niels Heinen of Google Reported to security team 2012-10-07 Issue public 2013-02-18 Update 2.4.4 released 2013-02-25 Update 2.2.24 released 2013-02-25 Affects 2.4.3, 2.4.2, 2.4.1, 2.2.23, 2.2.22, 2.2.21, 2.2.20, 2.2.19, 2.2.18, 2.2.17, 2.2.16, 2.2.15, 2.2.14, 2.2.13, 2.2.12, 2.2.11, 2.2.10, 2.2.9, 2.2.8, 2.2.6, 2.2.5, 2.2

CVE-2023-45802 Apache httpd: CVE-2023-45802 Apache httpd: CVE-2023-45802 When a HTTP/2 stream was reset (RST frame) by a client, there was a time window were the request's memory resources were not reclaimed immediately. Instead, de-allocation was deferred to connection close. A client could send new requests and resets, keeping the connection busy and open and causing the memory footprint to keep on growing. On connection close, all resources were reclaimed, but the process might run out of mem

CVE-2008-2364 Apache httpd: CVE-2008-2364 Apache httpd: CVE-2008-2364 A flaw was found in the handling of excessive interim responses from an origin server when using mod_proxy_http. A remote attacker could cause a denial of service or high memory usage. Reported to security team 2008-05-29 Issue public 2008-06-10 Update 2.0.64 released 2010-10-19 Update 2.2.9 released 2008-06-14 Affects 2.2.8, 2.2.6, 2.2.5, 2.2.4, 2.2.3, 2.2.2, 2.2.0, 2.0.63, 2.0.61, 2.0.59, 2.0.58, 2.0.55, 2.0.54, 2.0.53, 2.0.