CVE-2021-40438

CVE-2021-40438: mod_proxy SSRF

Vendor Apache Software Foundation

Product Apache HTTP Server

Weakness CWE-918 · SSRF

KEV Status Known Exploited

Published September 16, 2021

Last update October 21, 2025

View on NVD All CVEs

CVSS base score

—

What the vulnerability does

01Description

A crafted request uri-path can cause mod_proxy to forward the request to an origin server choosen by the remote user. This issue affects Apache HTTP Server 2.4.48 and earlier.

CISA mandated remediation

02CISA Required Action

Apply updates per vendor instructions.

Key dates

03Disclosure timeline

September 16, 2021 CVE published

October 21, 2025 Record updated

External resources

04References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2021-40438 CISA KEV Reference https://nvd.nist.gov/vuln/detail/CVE-2021-40438

Related vulnerabilities

05Related CVE

CVE-2025-12832 IBM InfoSphere Information Server Server-Side Request Forgery CVE-2024-9410 Ada.cx SSRF via Sentry Misconfiguration CVE-2024-13741 ProfileGrid – User Profiles, Groups and Communities <= 5.9.4.2 - Authenticated (Subscriber+) Limited Server-Side Request Forgery CVE-2025-58005 WordPress DriCub Theme <= 2.9 - Server Side Request Forgery (SSRF) Vulnerability CVE-2026-5052 Vault Vulnerable to Server-Side Request Forgery in ACME Challenge Validation via Attacker-Controlled DNS