Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2024-43394

Server-Side Request Forgery (SSRF) in Apache HTTP Server on Windows allows to potentially leak NTLM hashes to a malicious server via mod_rewrite or apache expressions that pass unvalidated request input. This issue affects Apache HTTP Server: from 2.4.0 through 2.4.63. Note: The Apache HTTP Server Project will be setting a higher bar for accepting vulnerability reports regarding SSRF via UNC paths. The server offers limited protection against administrators directing the server to open UNC paths. Windows servers should limit the hosts they will connect over via SMB based on the nature of NTLM authentication.

Published

2025-07-10T17:15:46.133

Last Modified

2025-11-04T22:16:03.600

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 7.5 (HIGH)

Weaknesses

Type: Secondary
CWE-918

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	apache	http_server	< 2.4.64	Yes
Operating System	microsoft	windows	-	No

References

https://httpd.apache.org/security/vulnerabilities_24.html Vendor Advisory ([email protected])
http://www.openwall.com/lists/oss-security/2025/07/10/2 (af854a3a-2127-422b-91ae-364da2661108)
http://www.openwall.com/lists/oss-security/2025/07/10/5 (af854a3a-2127-422b-91ae-364da2661108)
https://lists.debian.org/debian-lts-announce/2025/08/msg00009.html (af854a3a-2127-422b-91ae-364da2661108)