Apache HTTP Server 2.4.64 Released With Patch for 8 Vulnerabilities
The Apache Software Foundation has released Apache HTTP Server version 2.4.64, addressing eight critical security vulnerabilities that affected versions spanning from 2.4.0 through 2.4.63.
This latest update resolves a range of issues, including HTTP response splitting, server-side request forgery (SSRF), and denial of service vulnerabilities that could potentially compromise server security and performance.
Key Takeaways
1. Apache HTTP Server 2.4.64 fixes eight vulnerabilities across all 2.4.x versions, including HTTP response splitting and SSRF flaws.
2. SSL/TLS patches resolve access control bypass, TLS upgrade hijacking, and log injection issues.
3. SSRF fixes address mod_proxy exploitation and Windows NTLM hash leakage via UNC paths.
4. HTTP/2 DoS vulnerabilities in proxy configs and memory exhaustion require immediate upgrade.
HTTP Response and SSL/TLS Security Flaws
The most significant vulnerability patched in this release is CVE-2024-42516, a moderate-severity HTTP response splitting vulnerability in Apache HTTP Server’s core.
This flaw allows attackers who can manipulate Content-Type response headers of hosted or proxied applications to split HTTP responses.
Notably, this vulnerability was previously identified as CVE-2023-38709, but the patch included in Apache HTTP Server 2.4.59 failed to adequately address the issue.
Two additional SSL/TLS-related vulnerabilities have been resolved. CVE-2025-23048 represents a moderate-severity access control bypass affecting mod_ssl configurations on Apache HTTP Server versions 2.4.35 through 2.4.63.
This vulnerability enables trusted clients to bypass access controls using TLS 1.3 session resumption in multi-virtual host environments with different trusted client certificate configurations.
The second SSL issue, CVE-2025-49812, affects configurations using “SSLEngine optional” to enable TLS upgrades, allowing man-in-the-middle attackers to hijack HTTP sessions via TLS upgrade attacks.
Another security concern addressed is CVE-2024-47252, involving insufficient escaping of user-supplied data in mod_ssl.
This low-severity vulnerability allows untrusted SSL/TLS clients to insert escape characters into log files when CustomLog configurations use “%{varname}x” or “%{varname}c” to log mod_ssl variables such as SSL_TLS_SNI.
Server-Side Request Forgery Flaws
Apache HTTP Server 2.4.64 resolves two distinct SSRF vulnerabilities that could enable attackers to manipulate server requests. CVE-2024-43204 affects configurations with mod_proxy loaded and mod_headers configured to modify Content-Type headers using HTTP request values.
This low-severity vulnerability allows attackers to send outbound proxy requests to attacker-controlled URLs, though it requires an unlikely configuration scenario.
The second SSRF vulnerability, CVE-2024-43394, specifically targets Windows installations of Apache HTTP Server.
This moderate-severity flaw enables potential NTLM hash leakage to malicious servers through mod_rewrite or Apache expressions that process unvalidated request input via UNC paths.
The Apache HTTP Server Project has announced plans to implement stricter standards for accepting future SSRF vulnerability reports regarding UNC paths.
Denial of Service and Performance Issues
CVE-2025-49630 affects reverse proxy configurations for HTTP/2 backends with ProxyPreserveHost enabled, allowing untrusted clients to trigger assertions in mod_proxy_http2 and cause service disruption.
CVE-2025-53020 represents a memory-related denial of service vulnerability in HTTP/2 implementations affecting Apache HTTP Server versions 2.4.17 through 2.4.63.
This moderate-severity issue involves late release of memory after effective lifetime, potentially leading to memory exhaustion attacks.
| CVE | Description | Severity |
| CVE-2024-42516 | HTTP response splitting | Moderate |
| CVE-2024-43204 | SSRF with mod_headers setting Content-Type header | Low |
| CVE-2024-43394 | SSRF on Windows due to UNC paths | Moderate |
| CVE-2024-47252 | Insufficient escaping of user-supplied data in mod_ssl | Low |
| CVE-2025-23048 | mod_ssl access control bypass with session resumption | Moderate |
| CVE-2025-49630 | mod_proxy_http2 denial of service attack | Low |
| CVE-2025-49812 | mod_ssl TLS upgrade attack allowing HTTP session hijacking via man-in-the-middle attacks | Moderate |
| CVE-2025-53020 | HTTP/2 DoS by memory increase | Moderate |
Security researchers from multiple institutions, including Paderborn University and Ruhr University Bochum, as well as various security firms, contributed to identifying these vulnerabilities.
The Apache Software Foundation strongly recommends an immediate upgrade to version 2.4.64 for all users running affected versions.
System administrators should prioritize this update, particularly for production environments that handle sensitive data or operate in high-security contexts, where these vulnerabilities could be exploited.
Investigate live malware behavior, trace every step of an attack, and make faster, smarter security decisions -> Try ANY.RUN now
Source link
