The Apache Software program Basis has launched Apache HTTP Server model 2.4.64, addressing eight vital safety vulnerabilities that affected variations spanning from 2.4.0 via 2.4.63.
This newest replace resolves a spread of points, together with HTTP response splitting, server-side request forgery (SSRF), and denial of service vulnerabilities that might probably compromise server safety and efficiency.
Key Takeaways1. Apache HTTP Server 2.4.64 fixes eight vulnerabilities throughout all 2.4.x variations, together with HTTP response splitting and SSRF flaws.2. SSL/TLS patches resolve entry management bypass, TLS improve hijacking, and log injection points.3. SSRF fixes deal with mod_proxy exploitation and Home windows NTLM hash leakage through UNC paths.4. HTTP/2 DoS vulnerabilities in proxy configs and reminiscence exhaustion require rapid improve.
HTTP Response and SSL/TLS Safety Flaws
Probably the most vital vulnerability patched on this launch is CVE-2024-42516, a moderate-severity HTTP response splitting vulnerability in Apache HTTP Server’s core.
This flaw permits attackers who can manipulate Content material-Sort response headers of hosted or proxied functions to separate HTTP responses.
Notably, this vulnerability was beforehand recognized as CVE-2023-38709, however the patch included in Apache HTTP Server 2.4.59 did not adequately deal with the problem.
Two extra SSL/TLS-related vulnerabilities have been resolved. CVE-2025-23048 represents a moderate-severity entry management bypass affecting mod_ssl configurations on Apache HTTP Server variations 2.4.35 via 2.4.63.
This vulnerability permits trusted purchasers to bypass entry controls utilizing TLS 1.3 session resumption in multi-virtual host environments with totally different trusted shopper certificates configurations.
The second SSL challenge, CVE-2025-49812, impacts configurations utilizing “SSLEngine optionally available” to allow TLS upgrades, permitting man-in-the-middle attackers to hijack HTTP classes through TLS improve assaults.
One other safety concern addressed is CVE-2024-47252, involving inadequate escaping of user-supplied information in mod_ssl.
This low-severity vulnerability permits untrusted SSL/TLS purchasers to insert escape characters into log information when CustomLog configurations use “%{varname}x” or “%{varname}c” to log mod_ssl variables equivalent to SSL_TLS_SNI.
Server-Aspect Request Forgery Flaws
Apache HTTP Server 2.4.64 resolves two distinct SSRF vulnerabilities that might allow attackers to govern server requests. CVE-2024-43204 impacts configurations with mod_proxy loaded and mod_headers configured to switch Content material-Sort headers utilizing HTTP request values.
This low-severity vulnerability permits attackers to ship outbound proxy requests to attacker-controlled URLs, although it requires an unlikely configuration state of affairs.
The second SSRF vulnerability, CVE-2024-43394, particularly targets Home windows installations of Apache HTTP Server.
This moderate-severity flaw permits potential NTLM hash leakage to malicious servers via mod_rewrite or Apache expressions that course of unvalidated request enter through UNC paths.
The Apache HTTP Server Venture has introduced plans to implement stricter requirements for accepting future SSRF vulnerability studies concerning UNC paths.
Denial of Service and Efficiency Points
CVE-2025-49630 impacts reverse proxy configurations for HTTP/2 backends with ProxyPreserveHost enabled, permitting untrusted purchasers to set off assertions in mod_proxy_http2 and trigger service disruption.
CVE-2025-53020 represents a memory-related denial of service vulnerability in HTTP/2 implementations affecting Apache HTTP Server variations 2.4.17 via 2.4.63.
This moderate-severity challenge includes late launch of reminiscence after efficient lifetime, probably resulting in reminiscence exhaustion assaults.
CVEDescriptionSeverityCVE-2024-42516HTTP response splitting ModerateCVE-2024-43204SSRF with mod_headers setting Content material-Sort header LowCVE-2024-43394SSRF on Home windows on account of UNC paths ModerateCVE-2024-47252Insufficient escaping of user-supplied information in mod_ssl LowCVE-2025-23048mod_ssl entry management bypass with session resumption ModerateCVE-2025-49630mod_proxy_http2 denial of service assault LowCVE-2025-49812mod_ssl TLS improve assault permitting HTTP session hijacking through man-in-the-middle assaults ModerateCVE-2025-53020HTTP/2 DoS by reminiscence enhance Average
Safety researchers from a number of establishments, together with Paderborn College and Ruhr College Bochum, in addition to varied safety companies, contributed to figuring out these vulnerabilities.
The Apache Software program Basis strongly recommends a right away improve to model 2.4.64 for all customers operating affected variations.
System directors ought to prioritize this replace, notably for manufacturing environments that deal with delicate information or function in high-security contexts, the place these vulnerabilities may very well be exploited.
Examine dwell malware conduct, hint each step of an assault, and make quicker, smarter safety choices -> Attempt ANY.RUN now
