Apache Server Security Bulletin: 8 CVEs Resolved in July 2025 Update

Published Date: July 14, 2025
Category: ShadowOpsIntel
Share:

On July 10, 2025, the Apache Software Foundation released Apache HTTP Server version 2.4.64, addressing eight vulnerabilities affecting previous versions from 2.4.0 through 2.4.63. These issues range from HTTP response splitting and SSRF to denial of service and access control bypass, with varying impact levels from low to moderate severity. Immediate patching is recommended for all affected installations to maintain the integrity, confidentiality, and availability of web infrastructure.

Severity Level: Moderate

Vulnerability Details

CVE-2024-42516 – HTTP Response Splitting

  • Description: This flaw allows an attacker to split HTTP responses by injecting line breaks via the Content-Type header.
  • Root Cause: The server failed to adequately sanitize headers set by backend applications.
  • Exploitation: An attacker controlling the Content-Type value in a proxied or hosted app can insert CRLF characters to manipulate downstream HTTP responses.
  • Recommendation: Upgrade to 2.4.64 or sanitize Content-Type values at the application level if unable to patch.

CVE-2024-43204 – SSRF via mod_headers

  • Description: An SSRF vulnerability triggered when mod_headers is configured to set the Content-Type based on unvalidated user input.
  • Root Cause: Reflecting user-supplied header values without validation.
  • Exploitation: Attacker can induce server to send HTTP requests to malicious domains.
  • Recommendation: Upgrade to 2.4.64.

CVE-2024-43394 – SSRF via UNC Paths (Windows)

  • Description: Allows leakage of NTLM credentials via Server-Side Request Forgery using UNC paths.
  • Root Cause: Lack of outbound host restrictions on Windows when using SMB-based paths.
  • Exploitation: Exploited using mod_rewrite or unvalidated expressions pointing to a UNC path.
  • Mitigation: Apply host-based SMB restrictions or disable unnecessary NTLM features
  • Recommendation: upgrade to 2.4.64.

CVE-2024-47252 – mod_ssl Log Injection

  • Description: Malicious clients can insert escape characters into log files by abusing mod_ssl variables.
  • Root Cause: Variables passed into logging configurations were not properly escaped.
  • Exploitation: A specially crafted TLS handshake can result in control characters being logged.
  • Recommendation: upgrade to 2.4.64.

CVE-2025-23048 – Access Control Bypass via TLS Session Resumption

  • Description: Clients with valid TLS sessions can bypass access controls on restricted virtual hosts.
  • Root Cause: Insufficient enforcement of SSLStrictSNIVHostCheck during TLS session resumption.
  • Exploitation: An attacker can reuse a session intended for one virtual host to access another.
  • Recommendation: Enable SSLStrictSNIVHostCheck and upgrade to 2.4.64.

CVE-2025-49630 – DoS via mod_proxy_http2

  • Description: Assertion failure in mod_proxy_http2 can be triggered by crafted backend responses.
  • Root Cause: Faulty logic during host preservation in certain reverse proxy setups.
  • Exploitation: Untrusted client causes the proxy module to crash with assertion failure.
  • Mitigation: Temporarily disable HTTP/2 proxying or remove ProxyPreserveHost “on” until patch is applied.
  • Recommendation: upgrade to 2.4.64

CVE-2025-49812 – TLS Upgrade Hijack

  • Description: A man-in-the-middle attacker can hijack HTTP sessions during TLS upgrades.
  • Root Cause: Insecure use of SSLEngine optional, allowing protocol desynchronization.
  • Exploitation: Desynchronized states allow attackers to inject HTTP data and hijack the session.
  • Recommendation: Remove SSLEngine optional and upgrade to 2.4.64, which disables TLS upgrades by default.

CVE-2025-53020 – HTTP/2 Memory Leak

  • Description: Memory is not released promptly in HTTP/2, allowing attackers to exhaust resources.
  • Root Cause: Delayed memory release after effective use time.
  • Exploitation: Attackers can hold connections open to gradually deplete server memory.
  • Recommendation: Apply rate limiting or concurrent connection caps for HTTP/2 traffic; upgrade to 2.4.64.

Affected Versions

All vulnerabilities affect:

  • Apache HTTP Server versions 2.4.0 through 2.4.63
  • Windows-specific issues (CVE-2024-43394) affect Windows-based deployments
  • Config-specific issues (e.g., mod_ssl, mod_headers, mod_proxy_http2) require targeted configurations

Fixed Versions

All eight vulnerabilities are resolved in Apache HTTP Server 2.4.64, released July 10, 2025.

Source:

  • https://httpd.apache.org/security/vulnerabilities_24.html

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn

No related posts found.

Ampcus Cyber
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.