CVE-2021-40438

mod_proxy SSRF

Basic Information

CVE State: PUBLISHED
Reserved Date: September 02, 2021
Published Date: September 16, 2021
Last Updated: February 06, 2025
Vendor: Apache Software Foundation
Product: Apache HTTP Server
Description: A crafted request uri-path can cause mod_proxy to forward the request to an origin server choosen by the remote user. This issue affects Apache HTTP Server 2.4.48 and earlier.
Tags

CVSS Scores

CVSS v3.1

9.0 - CRITICAL

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

CVSS v2.0

6.8

Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P

SSVC Information

Exploitation: active
Technical Impact: total

Exploit Status

Exploited in the Wild: Yes (2025-05-10 00:00:00 UTC) Source
Proof of Concept Available: Yes (added 2021-10-28 11:48:12 UTC) Source

References

https://httpd.apache.org/security/vulnerabilities_24.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SPBR6WUYBJNACHKE65SPL7TJOHX7RHWD/ https://lists.apache.org/thread.html/r82838efc5fa6fc4c73986399c9b71573589f78b31846aff5bd9b1697%40%3Cusers.httpd.apache.org%3E https://lists.apache.org/thread.html/r82c077663f9759c7df5a6656f925b3ee4f55fcd33c889ba7cd687029%40%3Cusers.httpd.apache.org%3E https://lists.apache.org/thread.html/r3925e167d5eb1c75def3750c155d753064e1d34a143028bb32910432%40%3Cusers.httpd.apache.org%3E https://lists.apache.org/thread.html/r61fdbfc26ab170f4e6492ef3bd5197c20b862ce156e9d5a54d4b899c%40%3Cusers.httpd.apache.org%3E https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZNCYSR3BXT36FFF4XTCPL3HDQK4VP45R/ https://lists.debian.org/debian-lts-announce/2021/10/msg00001.html https://lists.apache.org/thread.html/r2eb200ac1340f69aa22af61ab34780c531d110437910cb9c0ece3b37%40%3Cbugs.httpd.apache.org%3E https://www.debian.org/security/2021/dsa-4982 https://lists.apache.org/thread.html/r210807d0bb55f4aa6fbe1512be6bcc4dacd64e84940429fba329967a%40%3Cusers.httpd.apache.org%3E https://lists.apache.org/thread.html/rf6954e60b1c8e480678ce3d02f61b8a788997785652e9557a3265c00%40%3Cusers.httpd.apache.org%3E https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-httpd-2.4.49-VWL69sWQ https://www.oracle.com/security-alerts/cpujan2022.html https://www.tenable.com/security/tns-2021-17 https://security.netapp.com/advisory/ntap-20211008-0004/ https://www.oracle.com/security-alerts/cpuapr2022.html https://cert-portal.siemens.com/productcert/pdf/ssa-685781.pdf https://security.gentoo.org/glsa/202208-20

Known Exploited Vulnerability Information

Source	Added Date
CISA	2021-12-01 00:00:00 UTC

Scanner Integrations

Scanner	URL	Date Detected
Nuclei	https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2021/CVE-2021-40438.yaml	2025-04-26 00:00:00 UTC

Potential Proof of Concepts

Warning: These PoCs have not been tested and could contain malware. Use at your own risk.

sergiovks/CVE-2021-40438-Apache-2.4.48-SSRF-exploit

Type: github • Created: 2023-12-12 11:56:23 UTC • Stars: 7

CVE-2021-40438 Apache <= 2.4.48 SSRF exploit

Kashkovsky/CVE-2021-40438

Type: github • Created: 2022-04-03 15:24:24 UTC • Stars: 17

Apache forward request CVE

BabyTeam1024/CVE-2021-40438

Type: github • Created: 2021-10-28 11:48:12 UTC • Stars: 2

sixpacksecurity/CVE-2021-40438

Type: github • Created: 2021-10-24 10:18:08 UTC • Stars: 12

CVE-2021-40438 exploit PoC with Docker setup.

xiaojiangxl/CVE-2021-40438

Type: github • Created: 2021-10-18 02:02:43 UTC • Stars: 4

Timeline

CVE ID Reserved

September 02, 2021
CVE Published to Public

September 16, 2021
Proof of Concept Exploit Available

October 28, 2021
Added to KEVIntel

December 01, 2021
Detected by Nuclei

April 26, 2025