How to fix EUVD-2024-54774?

Within 24 hours: Inventory all Apache HTTP Server instances with mod_proxy and mod_headers enabled; assess if headers are configured to accept user-controlled Content-Type values. Within 7 days: Implement compensating controls (WAF rules, network segmentation, disable mod_headers header manipulation); disable mod_proxy if not operationally required. Within 30 days: Plan and execute upgrade to Apache 2.4.64 when patch availability is confirmed; test thoroughly in non-production environments before production deployment.

Is Http Server affected by EUVD-2024-54774?

A Server-Side Request Forgery (SSRF) vulnerability in Apache HTTP Server could allow attackers to manipulate outbound proxy requests, potentially exposing internal systems or enabling lateral movement.

EUVD-2024-54774

| CVE-2024-43204 HIGH

2025-07-10 [email protected]

7.5

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

High

Availability

None

Lifecycle Timeline

Patch Released

Mar 31, 2026 - 21:13 nvd

Patch available

Analysis Generated

Mar 16, 2026 - 06:52 vuln.today

EUVD ID Assigned

Mar 16, 2026 - 06:52 euvd

EUVD-2024-54774

CVE Published

Jul 10, 2025 - 17:15 nvd

HIGH 7.5

Description

SSRF in Apache HTTP Server with mod_proxy loaded allows an attacker to send outbound proxy requests to a URL controlled by the attacker. Requires an unlikely configuration where mod_headers is configured to modify the Content-Type request or response header with a value provided in the HTTP request. Users are recommended to upgrade to version 2.4.64 which fixes this issue.

Analysis

CVE-2024-43204 is a Server-Side Request Forgery (SSRF) vulnerability in Apache HTTP Server when mod_proxy is loaded, allowing unauthenticated attackers to initiate outbound proxy requests to attacker-controlled URLs. The vulnerability requires an uncommon configuration where mod_headers is used to modify Content-Type headers based on user-supplied HTTP request values. Apache recommends immediate upgrade to version 2.4.64 to remediate this high-integrity-impact issue.

Technical Context

The vulnerability exists in Apache HTTP Server's mod_proxy module (CWE-918: Server-Side Request Forgery) and is triggered through unsafe interaction with mod_headers when processing request/response headers. When mod_headers is configured to dynamically modify the Content-Type header using values derived from incoming HTTP requests (e.g., via user input, request parameters, or header reflection), an attacker can inject crafted values that cause mod_proxy to interpret the request as a legitimate proxy request to an arbitrary destination. This exploits improper validation of proxy request destinations, allowing the attacker to use the vulnerable server as an intermediary to reach internal or external systems that would otherwise be inaccessible. The root cause is insufficient sanitization of header values before they are processed by the proxy logic. Affected CPE: cpe:2.3:a:apache:http_server:*:*:*:*:*:*:*:* (versions prior to 2.4.64).

Affected Products

Apache HTTP Server (< 2.4.64)

Remediation

Upgrade Apache HTTP Server to version 2.4.64 or later; priority: High; link: https://httpd.apache.org/download.cgi Workaround (Temporary): Disable mod_proxy if not required for operations; priority: High Workaround (Temporary): Review and restrict mod_headers configuration: avoid using Header directives that incorporate unsanitized user input (request parameters, cookies, client-supplied headers) into Content-Type or other proxy-relevant headers; priority: High Mitigation: Implement network-level egress filtering or proxy whitelisting to restrict outbound connections from the HTTP Server to authorized destinations only; priority: Medium Detection: Monitor Apache access logs for unusual outbound proxy requests (via mod_proxy logging) and anomalous Content-Type header values in requests; priority: Medium

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.2

CVSS: +38

POC: 0

Vendor Status

Ubuntu

Priority: Medium

apache2

Release	Status	Version
trusty	needs-triage	-
upstream	released	2.4.64-1
jammy	released	2.4.52-1ubuntu4.15
noble	released	2.4.58-1ubuntu8.7
plucky	released	2.4.63-1ubuntu1.1
bionic	released	2.4.29-1ubuntu4.27+esm6
focal	released	2.4.41-4ubuntu3.23+esm2
xenial	released	2.4.18-2ubuntu3.17+esm16
questing	released	2.4.64-1ubuntu2

USN-7639-1 USN-7639-2

Debian

apache2

Release	Status	Fixed Version	Urgency
bullseye	fixed	2.4.65-1~deb11u1	-
bullseye (security)	fixed	2.4.66-1~deb11u1	-
bookworm	fixed	2.4.65-1~deb12u1	-
bookworm (security)	vulnerable	2.4.62-1~deb12u2	-
trixie	fixed	2.4.66-1~deb13u2	-
forky, sid	fixed	2.4.66-8	-
(unstable)	fixed	2.4.64-1	-

DLA-4270-1

EUVD-2024-54774 vulnerability details – vuln.today

Back

EUVD-2024-54774

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Vendor Status

Ubuntu

Debian

Share

EUVD-2024-54774

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Vendor Status

Ubuntu

Debian

Share

External POC / Exploit Code