Apache HTTP Server 2.4.64 Released: Patches 8 Vulnerabilities, Including HTTP Splitting, SSRF & DoS

The Apache Software Foundation has issued a new release—Apache HTTP Server version 2.4.64—patching eight security vulnerabilities that affect a broad range of server configurations. While none are critical by CVSS standards, several have impactful implications, especially in misconfigured or unmonitored environments.

CVE-2024-42516: HTTP Response Splitting Returns

Originally disclosed as CVE-2023-38709, this moderate-severity vulnerability persisted due to an incomplete patch in version 2.4.59.

“HTTP response splitting in the core of Apache HTTP Server allows an attacker who can manipulate the Content-Type response headers… to split the HTTP response.”

Attackers could exploit this to inject malicious headers or content into responses served to clients, potentially bypassing security controls.

CVE-2024-43204: SSRF via mod_headers and Content-Type Header

This low-severity Server-Side Request Forgery (SSRF) flaw arises in setups where mod_proxy is enabled and mod_headers is configured to alter Content-Type based on untrusted input.

“Requires an unlikely configuration where mod_headers is configured to modify the Content-Type… with a value provided in the HTTP request.”

Although unlikely, such configurations could enable attackers to direct outbound requests to malicious domains.

CVE-2024-43394: SSRF on Windows via UNC Paths

This Windows-specific vulnerability lets attackers leak NTLM hashes using UNC paths.

“SSRF in Apache HTTP Server on Windows allows to potentially leak NTLM hashes to a malicious server via mod_rewrite or apache expressions that pass unvalidated request input.”

The Apache team notes: “The server offers limited protection against administrators directing the server to open UNC paths.”

Admins should restrict SMB connections on Windows-based servers as a hardening step.

CVE-2024-47252: mod_ssl Log Injection

In certain configurations, user-controlled input can poison logs by injecting escape sequences.

“No escaping is performed by either mod_log_config or mod_ssl and unsanitized data provided by the client may appear in log files.”

If you use CustomLog with SSL variables like %{SSL_TLS_SNI}x, this could impact log integrity and security.

CVE-2025-23048: Access Control Bypass via TLS Session Resumption

Under TLS 1.3 with mod_ssl, clients might gain access to unintended virtual hosts when SSLStrictSNIVHostCheck is not enforced.

“A client trusted to access one virtual host may be able to access another virtual host.”

This affects versions 2.4.35 through 2.4.63 and could undermine strict certificate-based access control.

CVE-2025-49630: DoS in mod_proxy_http2

A misconfigured proxy setup using HTTP/2 and ProxyPreserveHost on can trigger a denial of service.

“Untrusted clients causing an assertion in mod_proxy_http2” can take down services, especially if reverse proxies are poorly protected.

CVE-2025-49812: TLS Upgrade Desync Attack

This TLS attack allows a man-in-the-middle to hijack sessions if Apache is configured for optional TLS via SSLEngine optional.

“An HTTP desynchronisation attack allows a man-in-the-middle attacker to hijack an HTTP session via a TLS upgrade.”

CVE-2025-53020: Memory Leak in HTTP/2

In versions 2.4.17 to 2.4.63, a memory management flaw under HTTP/2 could allow resource exhaustion:

“Late Release of Memory after Effective Lifetime vulnerability in Apache HTTP Server.”

This could lead to performance degradation or a full DoS if exploited persistently.

Final Advice

Apache HTTP Server 2.4.64, released on July 10, 2025, addresses all of the above issues. If your infrastructure runs any version from 2.4.0 through 2.4.63, upgrade immediately.

Even low-severity bugs can escalate quickly in high-traffic, multi-tenant, or loosely monitored environments. Apache’s transparent and proactive patching process is commendable—but only if system administrators apply the fixes.

Related Posts:

• Apache HTTP Server fixes two HTTP request splitting flaws
• Apache HTTP Server Hit by Triple Vulnerabilities – Users Urged to Update
• Mozilla pushes to enable TLS 1.3 in Firefox