This latest update resolves a range of issues, including HTTP response splitting, server-side request forgery (SSRF), and denial of service vulnerabilities that could potentially compromise server security and performance. Apache HTTP Server 2.4.64 fixes eight vulnerabilities across all 2.4.x versions, including HTTP response splitting and SSRF flaws. Apache HTTP Server 2.4.64 resolves two distinct SSRF vulnerabilities that could enable attackers to manipulate server requests. The Apache HTTP Server Project has announced plans to implement stricter standards for accepting future SSRF vulnerability reports regarding UNC paths. The second SSL issue, CVE-2025-49812, affects configurations using “SSLEngine optional” to enable TLS upgrades, allowing man-in-the-middle attackers to hijack HTTP sessions via TLS upgrade attacks. The second SSRF vulnerability, CVE-2024-43394, specifically targets Windows installations of Apache HTTP Server. Notably, this vulnerability was previously identified as CVE-2023-38709, but the patch included in Apache HTTP Server 2.4.59 failed to adequately address the issue. This low-severity vulnerability allows untrusted SSL/TLS clients to insert escape characters into log files when CustomLog configurations use “%{varname}x” or “%{varname}c” to log mod_ssl variables such as SSL_TLS_SNI. Security researchers from multiple institutions, including Paderborn University and Ruhr University Bochum, as well as various security firms, contributed to identifying these vulnerabilities. CVE-2025-49630 affects reverse proxy configurations for HTTP/2 backends with ProxyPreserveHost enabled, allowing untrusted clients to trigger assertions in mod_proxy_http2 and cause service disruption.
This Cyber News was published on cybersecuritynews.com. Publication date: Fri, 11 Jul 2025 08:50:09 +0000