What is the CVSS score of CVE-2024-43204?

CVE-2024-43204 has a CVSS 3.1 base score of 7.5 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N. EPSS exploitation probability: 0.2%.

Which versions of Http Server are affected by CVE-2024-43204?

A Server-Side Request Forgery (SSRF) vulnerability in Apache HTTP Server could allow attackers to manipulate outbound proxy requests, potentially exposing internal systems or enabling lateral…. A patch is available.

How to fix or mitigate CVE-2024-43204?

Within 24 hours: Inventory all Apache HTTP Server instances with mod_proxy and mod_headers enabled; assess if headers are configured to accept user-controlled Content-Type values. Within 7 days: Implement compensating controls (WAF rules, network segmentation, disable mod_headers header manipulation); disable mod_proxy if not operationally required. Within 30 days: Plan and execute upgrade to Apache 2.4.64 when patch availability is confirmed; test thoroughly in non-production environments before production deployment.

Http Server CVE-2024-43204

EUVD-2024-54774 HIGH

Server-Side Request Forgery (SSRF) (CWE-918)

2025-07-10 security@apache.org

Apache SSRF Red Hat Http Server Suse

7.5

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

High

Availability

None

Lifecycle Timeline

Patch released

Mar 31, 2026 - 21:13 nvd

Patch available

EUVD ID Assigned

Mar 16, 2026 - 06:52 euvd

EUVD-2024-54774

Analysis Generated

Mar 16, 2026 - 06:52 vuln.today

CVE Published

Jul 10, 2025 - 17:15 nvd

HIGH 7.5

DescriptionNVD

SSRF in Apache HTTP Server with mod_proxy loaded allows an attacker to send outbound proxy requests to a URL controlled by the attacker. Requires an unlikely configuration where mod_headers is configured to modify the Content-Type request or response header with a value provided in the HTTP request.

Users are recommended to upgrade to version 2.4.64 which fixes this issue.

AnalysisAI

CVE-2024-43204 is a Server-Side Request Forgery (SSRF) vulnerability in Apache HTTP Server when mod_proxy is loaded, allowing unauthenticated attackers to initiate outbound proxy requests to attacker-controlled URLs. The vulnerability requires an uncommon configuration where mod_headers is used to modify Content-Type headers based on user-supplied HTTP request values. Apache recommends immediate upgrade to version 2.4.64 to remediate this high-integrity-impact issue.

Technical ContextAI

The vulnerability exists in Apache HTTP Server's mod_proxy module (CWE-918: Server-Side Request Forgery) and is triggered through unsafe interaction with mod_headers when processing request/response headers. When mod_headers is configured to dynamically modify the Content-Type header using values derived from incoming HTTP requests (e.g., via user input, request parameters, or header reflection), an attacker can inject crafted values that cause mod_proxy to interpret the request as a legitimate proxy request to an arbitrary destination. This exploits improper validation of proxy request destinations, allowing the attacker to use the vulnerable server as an intermediary to reach internal or external systems that would otherwise be inaccessible. The root cause is insufficient sanitization of header values before they are processed by the proxy logic. Affected CPE: cpe:2.3:a:apache:http_server:*:*:*:*:*:*:*:* (versions prior to 2.4.64).

RemediationAI

Upgrade Apache HTTP Server to version 2.4.64 or later; priority: High; link: https://httpd.apache.org/download.cgi Workaround (Temporary): Disable mod_proxy if not required for operations; priority: High Workaround (Temporary): Review and restrict mod_headers configuration: avoid using Header directives that incorporate unsanitized user input (request parameters, cookies, client-supplied headers) into Content-Type or other proxy-relevant headers; priority: High Mitigation: Implement network-level egress filtering or proxy whitelisting to restrict outbound connections from the HTTP Server to authorized destinations only; priority: Medium Detection: Monitor Apache access logs for unusual outbound proxy requests (via mod_proxy logging) and anomalous Content-Type header values in requests; priority: Medium

More from same product – last 7 days

CVE-2025-48977 HIGH This Week

8.5 May 28

Path traversal in Apache Ignite 2.0.0 through 2.17.0 lets authenticated REST API users read arbitrary files on the serve

CVE-2026-9277 HIGH This Week

8.1 May 22

Command injection in the shell-quote npm package allows attackers who can influence object-token inputs to inject arbitr

CVE-2026-9256 HIGH This Week

8.1 May 22

Heap buffer overflow in NGINX Plus and NGINX Open Source ngx_http_rewrite_module allows unauthenticated remote attackers

CVE-2026-42782 HIGH This Week

7.2 May 25

Code execution via Groovy sandbox bypass in Apache Syncope 3.0 through 3.0.16, 4.0 through 4.0.5, and 4.1.0 allows a hig

CVE-2026-43827 MEDIUM This Month

5.9 May 25

Default configurations of Apache Shiro have a session fixation vulnerability. This issue affects Apache Shiro from 1.0

Vendor StatusVendor

Ubuntu

Priority: Medium

apache2

Release	Status	Version
trusty	needs-triage	-
upstream	released	2.4.64-1
jammy	released	2.4.52-1ubuntu4.15
noble	released	2.4.58-1ubuntu8.7
plucky	released	2.4.63-1ubuntu1.1
bionic	released	2.4.29-1ubuntu4.27+esm6
focal	released	2.4.41-4ubuntu3.23+esm2
xenial	released	2.4.18-2ubuntu3.17+esm16
questing	released	2.4.64-1ubuntu2

USN-7639-1 USN-7639-2

Debian

apache2

Release	Status	Fixed Version	Urgency
bullseye	fixed	2.4.65-1~deb11u1	-
bullseye (security)	fixed	2.4.66-1~deb11u1	-
bookworm	fixed	2.4.65-1~deb12u1	-
bookworm (security)	vulnerable	2.4.62-1~deb12u2	-
trixie	fixed	2.4.66-1~deb13u2	-
forky, sid	fixed	2.4.66-8	-
(unstable)	fixed	2.4.64-1	-

DLA-4270-1

CVE-2024-43204 vulnerability details – vuln.today

Back

Http Server CVE-2024-43204

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

Technical ContextAI

RemediationAI

More from same product – last 7 days

Vendor StatusVendor

Ubuntu

Debian

Share

External POC / Exploit Code