CVE-2021-44790

CRITICAL

Apache HTTP Server < 2.4.52 - Buffer Overflow in mod_lua Multipart Parser

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2021-44790. PoCs published by Sunil Iyengar, nuPacaChi.

AI-analyzed exploit summary This exploit targets a buffer overflow vulnerability in Apache HTTP Server versions prior to 2.4.51. It sends a malformed multipart/form-data payload to trigger a memory allocation error, potentially leading to a denial-of-service (DoS) condition.

Description

A carefully crafted request body can cause a buffer overflow in the mod_lua multipart parser (r:parsebody() called from Lua scripts). The Apache httpd team is not aware of an exploit for the vulnerabilty though it might be possible to craft one. This issue affects Apache HTTP Server 2.4.51 and earlier.

Exploits (2)

exploitdb WORKING POC VERIFIED
by Sunil Iyengar · pythonwebappsmultiple
https://www.exploit-db.com/exploits/51193

This exploit targets a buffer overflow vulnerability in Apache HTTP Server versions prior to 2.4.51. It sends a malformed multipart/form-data payload to trigger a memory allocation error, potentially leading to a denial-of-service (DoS) condition.

Classification
Working Poc 90%
Attack Type
Dos
Complexity
Trivial
Reliability
Reliable
Target: Apache HTTP Server < 2.4.51
No auth needed
Prerequisites: Target server running vulnerable Apache version · Access to a Lua script endpoint
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 4 stars
by nuPacaChi · poc
https://github.com/nuPacaChi/-CVE-2021-44790

This repository contains a working PoC for CVE-2021-44790, a buffer overflow vulnerability in Apache HTTP Server's mod_lua module. The exploit triggers a DoS condition by sending a malformed multipart/form-data request, causing a memory allocation error and crashing the Apache service.

Classification
Working Poc 90%
Attack Type
Dos
Complexity
Trivial
Reliability
Reliable
Target: Apache HTTP Server < 2.4.51
No auth needed
Prerequisites: Apache HTTP Server with mod_lua enabled · Access to a vulnerable endpoint (e.g., test.lua)
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (20)

Core 20
Core References
Mailing List, Third Party Advisory mailing-list
http://www.openwall.com/lists/oss-security/2021/12/20/4
Third Party Advisory vendor-advisory
https://www.debian.org/security/2022/dsa-5035
Mailing List, Third Party Advisory mailing-list
http://seclists.org/fulldisclosure/2022/May/33
Mailing List, Third Party Advisory mailing-list
http://seclists.org/fulldisclosure/2022/May/35
Mailing List, Third Party Advisory mailing-list
http://seclists.org/fulldisclosure/2022/May/38
Third Party Advisory vendor-advisory
https://security.gentoo.org/glsa/202208-20

Scores

CVSS v3 9.8
EPSS 0.9711
EPSS Percentile 99.9%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-787
Status published
Products (22)
apache/http_server < 2.4.52
apple/mac_os_x 10.15.7 security_update_2020-001 (12 CPE variants)
apple/macos < 10.15.7
debian/debian_linux 10.0
debian/debian_linux 11.0
fedoraproject/fedora 34
fedoraproject/fedora 35
fedoraproject/fedora 36
netapp/cloud_backup
oracle/communications_element_manager < 9.0
... and 12 more
Published Dec 20, 2021
Tracked Since Feb 18, 2026