CVE-2024-43394
HIGHApache HTTP Server < 2.4.64 - SSRF
Title source: ruleDescription
Server-Side Request Forgery (SSRF) in Apache HTTP Server on Windows allows to potentially leak NTLM hashes to a malicious server via mod_rewrite or apache expressions that pass unvalidated request input. This issue affects Apache HTTP Server: from 2.4.0 through 2.4.63. Note: The Apache HTTP Server Project will be setting a higher bar for accepting vulnerability reports regarding SSRF via UNC paths. The server offers limited protection against administrators directing the server to open UNC paths. Windows servers should limit the hosts they will connect over via SMB based on the nature of NTLM authentication.
References (4)
Scores
CVSS v3
7.5
EPSS
0.0005
EPSS Percentile
15.1%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Classification
CWE
CWE-918
Status
published
Affected Products (1)
apache/http_server
< 2.4.64
Timeline
Published
Jul 10, 2025
Tracked Since
Feb 18, 2026