CVE-2024-38475

Confirmed PUBLISHED

Apache HTTP Server weakness in mod_rewrite when first segment of substitution matches filesystem path.

Apache Software Foundation · Apache HTTP Server
Exploited in the wild PoC available

Recommended Action

Prioritize remediation. Validate affected assets and apply vendor fixes on an accelerated timeline.

Confidence
Confirmed
Exploitation Status
Exploited in the wild
Observed in Sensors
No
Attempts (30d)
Unique Attacker IPs
CISA KEV
In CISA KEV
CVSS / EPSS
9.1 Critical EPSS 100.0%

At a Glance

Improper escaping of output in mod_rewrite in Apache HTTP Server 2.4.59 and earlier allows an attacker to map URLs to filesystem locations that are permitted to be served by the server but are not intentionally/directly reachable by any URL, resulting in code execution or source code disclosure. Substitutions in server context that use a backreferences or variables as the first segment of the substitution are affected.  Some unsafe RewiteRules will be broken by this change and the rewrite flag "UnsafePrefixStat" can be used to opt back in once ensuring the substitution is appropriately constrained.

cisa apache nuclei_scanner
CVE Published
Jul 01, 2024
Exploitation Reported
May 01, 2025
CVSS
9.1 Critical
EPSS
100.0%
Remote Low complexity No user interaction Unauthenticated

Affected Versions

Vendor Product Version Status
apache
http_server

2.4.0 to <= 2.4.59

Affected
netapp
ontap_9

0 to < *

Affected
Apache Software Foundation
Apache HTTP Server

2.4.0 to <= 2.4.59

Affected

CVE References

Recommended Actions

  • Prioritize remediation. Validate affected assets and apply vendor fixes on an accelerated timeline.
  • Check enrichment artifacts for scanner coverage and available PoCs before rolling remediation validation.
  • Use the Pro API to automate enrichment, telemetry, and workflow delivery for VM, SOC, and CTI pipelines.