Http Server Security Vulnerabilities and Issues — Http Server CVE List

Lucene search

ApacheHttp Server

10 matches found

CVE•added 2025/07/10 5:15 p.m.•335 views

CVE-2025-23048

In some mod_ssl configurations on Apache HTTP Server 2.4.35 through to 2.4.63, an access control bypass by trusted clients is possible using TLS 1.3 session resumption. Configurations are affected when mod_ssl is configured for multiple virtual hosts, with each restricted to a different set of trus...

9.1CVSS6.5AI score0.00065EPSS

CVE•added 2025/07/10 5:15 p.m.•211 views

CVE-2025-53020

Late Release of Memory after Effective Lifetime vulnerability in Apache HTTP Server. This issue affects Apache HTTP Server: from 2.4.17 up to 2.4.63. Users are recommended to upgrade to version 2.4.64, which fixes the issue.

7.5CVSS6.5AI score0.00455EPSS

CVE•added 2025/07/23 2:15 p.m.•121 views

CVE-2025-54090

A bug in Apache HTTP Server 2.4.64 results in all "RewriteCond expr ..." tests evaluating as "true". Users are recommended to upgrade to version 2.4.65, which fixes the issue.

6.3CVSS6.2AI score0.00127EPSS

CVE•added 2025/07/10 5:15 p.m.•119 views

CVE-2025-49812

In some mod_ssl configurations on Apache HTTP Server versions through to 2.4.63, an HTTP desynchronisation attack allows a man-in-the-middle attacker to hijack an HTTP session via a TLS upgrade. Only configurations using "SSLEngine optional" to enable TLS upgrades are affected. Users are recommende...

7.4CVSS6.4AI score0.00083EPSS

CVE•added 2025/07/10 5:15 p.m.•118 views

CVE-2025-49630

In certain proxy configurations, a denial of service attack against Apache HTTP Server versions 2.4.26 through to 2.4.63 can be triggered by untrusted clients causing an assertion in mod_proxy_http2. Configurations affected are a reverse proxy is configured for an HTTP/2 backend, with ProxyPreserve...

7.5CVSS6.5AI score0.00347EPSS

CVE•added 2025/07/10 5:15 p.m.•110 views

CVE-2024-47252

Insufficient escaping of user-supplied data in mod_ssl in Apache HTTP Server 2.4.63 and earlier allows an untrusted SSL/TLS client to insert escape characters into log files in some configurations. In a logging configuration where CustomLog is used with "%{varname}x" or "%{varname}c" to log variabl...

7.5CVSS6.4AI score0.00084EPSS

CVE•added 2025/07/10 5:15 p.m.•107 views

CVE-2024-42516

HTTP response splitting in the core of Apache HTTP Server allows an attacker who can manipulate the Content-Type response headers of applications hosted or proxied by the server can split the HTTP response. This vulnerability was described as CVE-2023-38709 but the patch included in Apache HTTP Ser...

7.5CVSS6.9AI score0.05161EPSS

CVE•added 2025/07/10 5:15 p.m.•99 views

CVE-2024-43204

SSRF in Apache HTTP Server with mod_proxy loaded allows an attacker to send outbound proxy requests to a URL controlled by the attacker. Requires an unlikely configuration where mod_headers is configured to modify the Content-Type request or response header with a value provided in the HTTP request...

7.5CVSS6.4AI score0.00231EPSS

CVE•added 2025/07/10 5:15 p.m.•89 views

CVE-2024-43394

Server-Side Request Forgery (SSRF) in Apache HTTP Server on Windows allows to potentially leak NTLM hashes to a malicious server via mod_rewrite or apache expressions that pass unvalidated request input. This issue affects Apache HTTP Server: from 2.4.0 through 2.4.63. Note: The Apache HTTP Server ...

7.5CVSS6.5AI score0.00092EPSS

CVE•added 2025/04/29 12:15 p.m.•74 views

CVE-2025-3891

A flaw was found in the mod_auth_openidc module for Apache httpd. This flaw allows a remote, unauthenticated attacker to trigger a denial of service by sending an empty POST request when the OIDCPreservePost directive is enabled. The server crashes consistently, affecting availability.

7.5CVSS5.2AI score0.00541EPSS