Apache HTTP Server
Monthly
Use-after-free in the mod_http2 module of Apache HTTP Server versions 2.4.55 through 2.4.67 allows remote attackers to trigger memory corruption when the server's file handle pool is exhausted. The flaw carries a CVSS 7.3 (low impact across confidentiality, integrity, and availability) and is reachable over the network without authentication or user interaction, though no public exploit identified at time of analysis. Tagging emphasizes denial-of-service and memory corruption as the primary realistic outcomes.
Apache HTTP Server 2.4.0-2.4.67 has a buffer underwrite (CWE-124) in ap_regname, triggered by a crafted regular expression in the server configuration. The vendor (Apache) rates this Low severity. A separate CISA-ADP assessment assigned CVSS 9.8 using a network, unauthenticated vector that is inconsistent with the vendor description, because exploitation requires control over the httpd configuration. No public exploit and not in CISA KEV. Fixed in 2.4.68.
Privilege escalation in Apache HTTP Server 2.4.0 through 2.4.67 allows local users with .htaccess write access to read arbitrary files using the privileges of the httpd daemon process, exploiting improper privilege management (CWE-269). The attack vector is local, requires low privileges, and impacts only confidentiality - no integrity or availability impact is present. No public exploit code and no active exploitation have been identified; SSVC classifies technical impact as partial and the vulnerability as non-automatable, consistent with the targeted, local nature of the attack.
Out-of-bounds read in Apache HTTP Server 2.4.0 through 2.4.67 arises from an interaction between mod_headers, mod_mime, and multi-language content negotiation, allowing unauthenticated remote attackers to trigger memory reads beyond allocated buffer boundaries. The CVSS vector (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N) confirms low-complexity, unauthenticated network exploitation yielding limited confidentiality and integrity impact with no availability consequence. No active exploitation confirmed in CISA KEV, and no public exploit code has been identified at time of analysis.
Improper path handling in the mod_dav_fs module of Apache HTTP Server 2.4.67 and earlier permits a WebDAV content author to directly manipulate trusted DAV property databases, leading to integrity violations and child process crashes. With a CVSS of 9.1 (AV:N/AC:L/PR:N/UI:N) and SSVC technical impact rated 'total' with automatable=yes, the flaw is highly impactful, though there is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Denial of service in Apache HTTP Server versions 2.4.0 through 2.4.67 stems from a heap-based buffer overflow triggered when the server processes responses from a malicious backend while ProxyPassReverseCookieDomain or ProxyPassReverseCookiePath directives are in use. Remote attackers controlling or compromising an upstream backend can crash the front-end Apache process, impacting availability of the reverse proxy without affecting confidentiality or integrity. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Denial of service in Apache HTTP Server versions 2.4.0 through 2.4.67 stems from an infinite loop condition in the mod_proxy_ftp module when interacting with an attacker-controlled backend FTP server. Remote attackers can degrade availability and partially impact confidentiality and integrity without authentication, though exploitation requires a proxied request path to a malicious FTP backend. No public exploit identified at time of analysis, and EPSS is very low at 0.02%.
Cross-site scripting in Apache HTTP Server's mod_proxy_ftp module allows a network-accessible attacker to inject malicious scripts into HTML directory listings generated when the server proxies FTP directory contents. Affected are all versions of Apache HTTP Server up to and including 2.4.67, in both forward and reverse proxy configurations. No public exploit code has been identified at time of analysis, and CISA KEV listing is absent, but the Changed scope (S:C) in the CVSS vector means injected scripts execute in victims' browsers under the origin of the proxy host, elevating the effective impact beyond the medium base score.
Remote code execution in Apache HTTP Server versions 2.4.0 through 2.4.67 is possible through a use-after-free condition in mod_ldap when LDAP authentication or authorization is configured in a per-directory context. The CVSS 9.8 rating reflects unauthenticated network exploitation with high impact across confidentiality, integrity, and availability, though no public exploit has been identified at time of analysis and EPSS exploitation probability remains very low at 0.02%. CISA SSVC assesses exploitation status as none but flags the issue as automatable with total technical impact.
Uncontrolled resource consumption in Apache HTTP Server's mod_md module allows remote unauthenticated attackers to exhaust server resources via malformed OCSP response data, affecting versions 2.4.30 through 2.4.66. The vulnerability enables attackers to achieve confidentiality, integrity, and availability impacts with low complexity exploitation over the network. No active exploitation confirmed (not in CISA KEV), but the network-accessible attack surface and lack of authentication requirement make this a credible threat requiring prompt patching to version 2.4.67.
Remote attackers can crash Apache HTTP Server 2.4.66 and earlier by sending malicious requests that trigger a NULL pointer dereference in mod_dav_lock, causing denial of service. The vulnerability affects only servers with mod_dav_lock enabled, a legacy module whose primary use-case (Apache Subversion < 1.2.0) is obsolete in modern deployments. CISA SSVC indicates no active exploitation, but the attack is automatable against susceptible configurations. CVSS 7.5 (High) reflects network-accessible, unauthenticated denial of service, though real-world impact is limited to the small subset of servers still running mod_dav_lock.
Timing attack against mod_auth_digest in Apache HTTP Server 2.4.66 allows remote unauthenticated attackers to bypass Digest authentication with high attack complexity. The vulnerability exploits measurable timing differences in digest credential validation, enabling credential compromise without valid authentication. Apache has released patched version 2.4.67; no active exploitation has been confirmed, but CISA SSVC framework indicates automatable exploitation is not feasible due to the timing attack's sensitivity requirements.
Null pointer dereference in mod_authn_socache in Apache HTTP Server 2.4.66 and earlier allows unauthenticated remote attackers to crash child processes in caching forward proxy configurations, resulting in denial of service. The vulnerability has CVSS 5.3 (medium) with network accessibility and no authentication required, but is limited to partial availability impact affecting only specific proxy deployments. Vendor-released patch: version 2.4.67.
HTTP response splitting in Apache HTTP Server 2.4.0 through 2.4.66 allows remote attackers to inject arbitrary HTTP headers and content when the server acts as a proxy to untrusted or compromised backend servers, enabling cache poisoning, session fixation, and cross-site scripting attacks. CVSS 6.5 (moderate) with network attack vector, no authentication required, and confirmed automatable exploitation per CISA SSVC framework. Vendor-released patch: version 2.4.67.
Out-of-bounds read in mod_proxy_ajp of Apache HTTP Server through version 2.4.66 allows remote unauthenticated attackers to disclose sensitive information via a crafted AJP protocol request. The vulnerability has a CVSS score of 5.3 (moderate) with no active exploitation confirmed. Upgrade to version 2.4.67 to remediate.
Improper null termination and out-of-bounds read vulnerability in Apache HTTP Server through version 2.4.66 allows remote unauthenticated attackers to trigger information disclosure with low complexity exploitation. The vulnerability has a CVSS score of 5.3 (medium) with network-accessible attack vector and no user interaction required, though technical impact is limited to confidentiality (partial information disclosure). Vendor-released patch: version 2.4.67 addresses the issue.
Buffer over-read in Apache HTTP Server through 2.4.66 enables remote unauthenticated information disclosure at network scale. Attackers can read sensitive memory content without authentication or user interaction, achieving high confidentiality impact with low attack complexity. EPSS exploitation probability and KEV status not provided, but SSVC framework confirms the vulnerability is automatable with partial technical impact and no active exploitation detected at time of analysis. Patch released in version 2.4.67.
Local .htaccess authors can escalate privileges to read arbitrary files as the httpd daemon user in Apache HTTP Server 2.4.66 and earlier. The vulnerability requires low-privilege authenticated access to create or modify .htaccess files, but exploits misconfigured module interactions to bypass intended access controls. Apache has released version 2.4.67 to address this issue. SSVC assessment indicates no active exploitation and non-automatable attack vector, with EPSS data not yet available for this recent disclosure.
CVE-2025-58098 is a security vulnerability (CVSS 8.3). High severity vulnerability requiring prompt remediation.
A security vulnerability in Apache HTTP Server (CVSS 5.4). Remediation should follow standard vulnerability management procedures.
A security vulnerability in Apache HTTP Server (CVSS 6.5). Remediation should follow standard vulnerability management procedures.
Server-Side Request Forgery (SSRF) vulnerability in Apache HTTP Server on Windows with AllowEncodedSlashes On and MergeSlashes Off allows to potentially leak NTLM hashes to a malicious server via SSRF and malicious requests or content Users are recommended to upgrade to version 2.4.66, which fixes the issue.
An integer overflow in the case of failed ACME certificate renewal leads, after a number of failures (~30 days in default configurations), to the backoff timer becoming 0. Attempts to renew the certificate then are repeated without delays until it succeeds. This issue affects Apache HTTP Server: from 2.4.30 before 2.4.66. Users are recommended to upgrade to version 2.4.66, which fixes the issue.
CVE-2025-53020 is a late release of memory after effective lifetime vulnerability (use-after-free) in Apache HTTP Server versions 2.4.17 through 2.4.63 that allows unauthenticated remote attackers to cause denial of service with high availability impact. The vulnerability has a CVSS score of 7.5 (high severity) with network-accessible attack vector and low attack complexity, making it easily exploitable without authentication. Affected organizations running vulnerable Apache HTTP Server versions should prioritize upgrading to version 2.4.64 immediately.
CVE-2025-49812 is an HTTP request smuggling/desynchronization vulnerability in Apache HTTP Server's mod_ssl that allows man-in-the-middle attackers to hijack HTTPS sessions by exploiting improper handling of TLS upgrades. Only Apache HTTP Server versions through 2.4.63 with 'SSLEngine optional' configurations are affected, enabling session hijacking with high confidentiality and integrity impact. The vulnerability requires network-level access and careful timing but does not require user interaction or privileges; upgrade to 2.4.64 (which removes TLS upgrade support entirely) is the recommended mitigation.
CVE-2025-49630 is a denial of service vulnerability in Apache HTTP Server versions 2.4.26 through 2.4.63 that can be triggered by untrusted remote clients when a reverse proxy is configured with HTTP/2 backend support and ProxyPreserveHost enabled, causing an assertion failure that crashes the proxy process. The vulnerability has a CVSS score of 7.5 (High) with network-accessible attack vector and no authentication required, making it immediately exploitable by unauthenticated remote attackers.
CVE-2025-23048 is an authentication bypass vulnerability in Apache HTTP Server 2.4.35-2.4.63 affecting mod_ssl configurations with multiple virtual hosts using different client certificate restrictions. An attacker with valid client certificates trusted by one virtual host can exploit TLS 1.3 session resumption to access another restricted virtual host if SSLStrictSNIVHostCheck is not enabled, achieving unauthorized access to confidential information and potentially modifying data. This is a network-accessible vulnerability with no authentication required and high real-world impact.
CVE-2024-47252 is a security vulnerability (CVSS 7.5). High severity vulnerability requiring prompt remediation.
CVE-2024-43394 is a Server-Side Request Forgery (SSRF) vulnerability in Apache HTTP Server on Windows (versions 2.4.0-2.4.63) that allows unauthenticated remote attackers to leak NTLM credential hashes to malicious servers through unvalidated request input processed by mod_rewrite or Apache expressions. The vulnerability exploits Windows SMB/UNC path handling to trigger NTLM authentication, potentially compromising domain credentials. This is a high-severity issue affecting all default Windows installations without explicit UNC path filtering.
CVE-2024-43204 is a Server-Side Request Forgery (SSRF) vulnerability in Apache HTTP Server when mod_proxy is loaded, allowing unauthenticated attackers to initiate outbound proxy requests to attacker-controlled URLs. The vulnerability requires an uncommon configuration where mod_headers is used to modify Content-Type headers based on user-supplied HTTP request values. Apache recommends immediate upgrade to version 2.4.64 to remediate this high-integrity-impact issue.
HTTP response splitting vulnerability in Apache HTTP Server core allows network-based attackers without authentication to inject arbitrary HTTP headers and content into responses by manipulating Content-Type headers in proxied or hosted applications, potentially enabling cache poisoning, session hijacking, or XSS attacks. Affects Apache HTTP Server versions prior to 2.4.64, with a critical note that the initial patch in 2.4.59 was incomplete. This is a regression/incomplete fix of CVE-2023-38709, indicating patch evasion and suggesting active exploitation interest.
Denial of service against HTTP/2 server implementations allows remote unauthenticated attackers to exhaust server resources by rapidly opening and immediately canceling (RST_STREAM) large numbers of streams over a single connection, a technique dubbed the 'Rapid Reset' attack. The flaw is confirmed actively exploited (CISA KEV) following large-scale weaponization observed August through October 2023, with publicly available exploit code and an EPSS score of 94.45% placing it in the 100th percentile for likelihood of exploitation. Virtually every major HTTP/2 stack - including nghttp2, Netty, Envoy, and Eclipse Jetty - is affected.
Use-after-free in the mod_http2 module of Apache HTTP Server versions 2.4.55 through 2.4.67 allows remote attackers to trigger memory corruption when the server's file handle pool is exhausted. The flaw carries a CVSS 7.3 (low impact across confidentiality, integrity, and availability) and is reachable over the network without authentication or user interaction, though no public exploit identified at time of analysis. Tagging emphasizes denial-of-service and memory corruption as the primary realistic outcomes.
Apache HTTP Server 2.4.0-2.4.67 has a buffer underwrite (CWE-124) in ap_regname, triggered by a crafted regular expression in the server configuration. The vendor (Apache) rates this Low severity. A separate CISA-ADP assessment assigned CVSS 9.8 using a network, unauthenticated vector that is inconsistent with the vendor description, because exploitation requires control over the httpd configuration. No public exploit and not in CISA KEV. Fixed in 2.4.68.
Privilege escalation in Apache HTTP Server 2.4.0 through 2.4.67 allows local users with .htaccess write access to read arbitrary files using the privileges of the httpd daemon process, exploiting improper privilege management (CWE-269). The attack vector is local, requires low privileges, and impacts only confidentiality - no integrity or availability impact is present. No public exploit code and no active exploitation have been identified; SSVC classifies technical impact as partial and the vulnerability as non-automatable, consistent with the targeted, local nature of the attack.
Out-of-bounds read in Apache HTTP Server 2.4.0 through 2.4.67 arises from an interaction between mod_headers, mod_mime, and multi-language content negotiation, allowing unauthenticated remote attackers to trigger memory reads beyond allocated buffer boundaries. The CVSS vector (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N) confirms low-complexity, unauthenticated network exploitation yielding limited confidentiality and integrity impact with no availability consequence. No active exploitation confirmed in CISA KEV, and no public exploit code has been identified at time of analysis.
Improper path handling in the mod_dav_fs module of Apache HTTP Server 2.4.67 and earlier permits a WebDAV content author to directly manipulate trusted DAV property databases, leading to integrity violations and child process crashes. With a CVSS of 9.1 (AV:N/AC:L/PR:N/UI:N) and SSVC technical impact rated 'total' with automatable=yes, the flaw is highly impactful, though there is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Denial of service in Apache HTTP Server versions 2.4.0 through 2.4.67 stems from a heap-based buffer overflow triggered when the server processes responses from a malicious backend while ProxyPassReverseCookieDomain or ProxyPassReverseCookiePath directives are in use. Remote attackers controlling or compromising an upstream backend can crash the front-end Apache process, impacting availability of the reverse proxy without affecting confidentiality or integrity. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Denial of service in Apache HTTP Server versions 2.4.0 through 2.4.67 stems from an infinite loop condition in the mod_proxy_ftp module when interacting with an attacker-controlled backend FTP server. Remote attackers can degrade availability and partially impact confidentiality and integrity without authentication, though exploitation requires a proxied request path to a malicious FTP backend. No public exploit identified at time of analysis, and EPSS is very low at 0.02%.
Cross-site scripting in Apache HTTP Server's mod_proxy_ftp module allows a network-accessible attacker to inject malicious scripts into HTML directory listings generated when the server proxies FTP directory contents. Affected are all versions of Apache HTTP Server up to and including 2.4.67, in both forward and reverse proxy configurations. No public exploit code has been identified at time of analysis, and CISA KEV listing is absent, but the Changed scope (S:C) in the CVSS vector means injected scripts execute in victims' browsers under the origin of the proxy host, elevating the effective impact beyond the medium base score.
Remote code execution in Apache HTTP Server versions 2.4.0 through 2.4.67 is possible through a use-after-free condition in mod_ldap when LDAP authentication or authorization is configured in a per-directory context. The CVSS 9.8 rating reflects unauthenticated network exploitation with high impact across confidentiality, integrity, and availability, though no public exploit has been identified at time of analysis and EPSS exploitation probability remains very low at 0.02%. CISA SSVC assesses exploitation status as none but flags the issue as automatable with total technical impact.
Uncontrolled resource consumption in Apache HTTP Server's mod_md module allows remote unauthenticated attackers to exhaust server resources via malformed OCSP response data, affecting versions 2.4.30 through 2.4.66. The vulnerability enables attackers to achieve confidentiality, integrity, and availability impacts with low complexity exploitation over the network. No active exploitation confirmed (not in CISA KEV), but the network-accessible attack surface and lack of authentication requirement make this a credible threat requiring prompt patching to version 2.4.67.
Remote attackers can crash Apache HTTP Server 2.4.66 and earlier by sending malicious requests that trigger a NULL pointer dereference in mod_dav_lock, causing denial of service. The vulnerability affects only servers with mod_dav_lock enabled, a legacy module whose primary use-case (Apache Subversion < 1.2.0) is obsolete in modern deployments. CISA SSVC indicates no active exploitation, but the attack is automatable against susceptible configurations. CVSS 7.5 (High) reflects network-accessible, unauthenticated denial of service, though real-world impact is limited to the small subset of servers still running mod_dav_lock.
Timing attack against mod_auth_digest in Apache HTTP Server 2.4.66 allows remote unauthenticated attackers to bypass Digest authentication with high attack complexity. The vulnerability exploits measurable timing differences in digest credential validation, enabling credential compromise without valid authentication. Apache has released patched version 2.4.67; no active exploitation has been confirmed, but CISA SSVC framework indicates automatable exploitation is not feasible due to the timing attack's sensitivity requirements.
Null pointer dereference in mod_authn_socache in Apache HTTP Server 2.4.66 and earlier allows unauthenticated remote attackers to crash child processes in caching forward proxy configurations, resulting in denial of service. The vulnerability has CVSS 5.3 (medium) with network accessibility and no authentication required, but is limited to partial availability impact affecting only specific proxy deployments. Vendor-released patch: version 2.4.67.
HTTP response splitting in Apache HTTP Server 2.4.0 through 2.4.66 allows remote attackers to inject arbitrary HTTP headers and content when the server acts as a proxy to untrusted or compromised backend servers, enabling cache poisoning, session fixation, and cross-site scripting attacks. CVSS 6.5 (moderate) with network attack vector, no authentication required, and confirmed automatable exploitation per CISA SSVC framework. Vendor-released patch: version 2.4.67.
Out-of-bounds read in mod_proxy_ajp of Apache HTTP Server through version 2.4.66 allows remote unauthenticated attackers to disclose sensitive information via a crafted AJP protocol request. The vulnerability has a CVSS score of 5.3 (moderate) with no active exploitation confirmed. Upgrade to version 2.4.67 to remediate.
Improper null termination and out-of-bounds read vulnerability in Apache HTTP Server through version 2.4.66 allows remote unauthenticated attackers to trigger information disclosure with low complexity exploitation. The vulnerability has a CVSS score of 5.3 (medium) with network-accessible attack vector and no user interaction required, though technical impact is limited to confidentiality (partial information disclosure). Vendor-released patch: version 2.4.67 addresses the issue.
Buffer over-read in Apache HTTP Server through 2.4.66 enables remote unauthenticated information disclosure at network scale. Attackers can read sensitive memory content without authentication or user interaction, achieving high confidentiality impact with low attack complexity. EPSS exploitation probability and KEV status not provided, but SSVC framework confirms the vulnerability is automatable with partial technical impact and no active exploitation detected at time of analysis. Patch released in version 2.4.67.
Local .htaccess authors can escalate privileges to read arbitrary files as the httpd daemon user in Apache HTTP Server 2.4.66 and earlier. The vulnerability requires low-privilege authenticated access to create or modify .htaccess files, but exploits misconfigured module interactions to bypass intended access controls. Apache has released version 2.4.67 to address this issue. SSVC assessment indicates no active exploitation and non-automatable attack vector, with EPSS data not yet available for this recent disclosure.
CVE-2025-58098 is a security vulnerability (CVSS 8.3). High severity vulnerability requiring prompt remediation.
A security vulnerability in Apache HTTP Server (CVSS 5.4). Remediation should follow standard vulnerability management procedures.
A security vulnerability in Apache HTTP Server (CVSS 6.5). Remediation should follow standard vulnerability management procedures.
Server-Side Request Forgery (SSRF) vulnerability in Apache HTTP Server on Windows with AllowEncodedSlashes On and MergeSlashes Off allows to potentially leak NTLM hashes to a malicious server via SSRF and malicious requests or content Users are recommended to upgrade to version 2.4.66, which fixes the issue.
An integer overflow in the case of failed ACME certificate renewal leads, after a number of failures (~30 days in default configurations), to the backoff timer becoming 0. Attempts to renew the certificate then are repeated without delays until it succeeds. This issue affects Apache HTTP Server: from 2.4.30 before 2.4.66. Users are recommended to upgrade to version 2.4.66, which fixes the issue.
CVE-2025-53020 is a late release of memory after effective lifetime vulnerability (use-after-free) in Apache HTTP Server versions 2.4.17 through 2.4.63 that allows unauthenticated remote attackers to cause denial of service with high availability impact. The vulnerability has a CVSS score of 7.5 (high severity) with network-accessible attack vector and low attack complexity, making it easily exploitable without authentication. Affected organizations running vulnerable Apache HTTP Server versions should prioritize upgrading to version 2.4.64 immediately.
CVE-2025-49812 is an HTTP request smuggling/desynchronization vulnerability in Apache HTTP Server's mod_ssl that allows man-in-the-middle attackers to hijack HTTPS sessions by exploiting improper handling of TLS upgrades. Only Apache HTTP Server versions through 2.4.63 with 'SSLEngine optional' configurations are affected, enabling session hijacking with high confidentiality and integrity impact. The vulnerability requires network-level access and careful timing but does not require user interaction or privileges; upgrade to 2.4.64 (which removes TLS upgrade support entirely) is the recommended mitigation.
CVE-2025-49630 is a denial of service vulnerability in Apache HTTP Server versions 2.4.26 through 2.4.63 that can be triggered by untrusted remote clients when a reverse proxy is configured with HTTP/2 backend support and ProxyPreserveHost enabled, causing an assertion failure that crashes the proxy process. The vulnerability has a CVSS score of 7.5 (High) with network-accessible attack vector and no authentication required, making it immediately exploitable by unauthenticated remote attackers.
CVE-2025-23048 is an authentication bypass vulnerability in Apache HTTP Server 2.4.35-2.4.63 affecting mod_ssl configurations with multiple virtual hosts using different client certificate restrictions. An attacker with valid client certificates trusted by one virtual host can exploit TLS 1.3 session resumption to access another restricted virtual host if SSLStrictSNIVHostCheck is not enabled, achieving unauthorized access to confidential information and potentially modifying data. This is a network-accessible vulnerability with no authentication required and high real-world impact.
CVE-2024-47252 is a security vulnerability (CVSS 7.5). High severity vulnerability requiring prompt remediation.
CVE-2024-43394 is a Server-Side Request Forgery (SSRF) vulnerability in Apache HTTP Server on Windows (versions 2.4.0-2.4.63) that allows unauthenticated remote attackers to leak NTLM credential hashes to malicious servers through unvalidated request input processed by mod_rewrite or Apache expressions. The vulnerability exploits Windows SMB/UNC path handling to trigger NTLM authentication, potentially compromising domain credentials. This is a high-severity issue affecting all default Windows installations without explicit UNC path filtering.
CVE-2024-43204 is a Server-Side Request Forgery (SSRF) vulnerability in Apache HTTP Server when mod_proxy is loaded, allowing unauthenticated attackers to initiate outbound proxy requests to attacker-controlled URLs. The vulnerability requires an uncommon configuration where mod_headers is used to modify Content-Type headers based on user-supplied HTTP request values. Apache recommends immediate upgrade to version 2.4.64 to remediate this high-integrity-impact issue.
HTTP response splitting vulnerability in Apache HTTP Server core allows network-based attackers without authentication to inject arbitrary HTTP headers and content into responses by manipulating Content-Type headers in proxied or hosted applications, potentially enabling cache poisoning, session hijacking, or XSS attacks. Affects Apache HTTP Server versions prior to 2.4.64, with a critical note that the initial patch in 2.4.59 was incomplete. This is a regression/incomplete fix of CVE-2023-38709, indicating patch evasion and suggesting active exploitation interest.
Denial of service against HTTP/2 server implementations allows remote unauthenticated attackers to exhaust server resources by rapidly opening and immediately canceling (RST_STREAM) large numbers of streams over a single connection, a technique dubbed the 'Rapid Reset' attack. The flaw is confirmed actively exploited (CISA KEV) following large-scale weaponization observed August through October 2023, with publicly available exploit code and an EPSS score of 94.45% placing it in the 100th percentile for likelihood of exploitation. Virtually every major HTTP/2 stack - including nghttp2, Netty, Envoy, and Eclipse Jetty - is affected.