CVE-2022-37436

CVE-2022-37436: Apache HTTP Server: mod_proxy prior to 2.4.55 allows a backend to trigger HTTP response splitting

Vendor Apache Software Foundation

Product Apache HTTP Server

Weakness CWE-113 · HTTP response splitting

Published January 17, 2023

Last update April 4, 2025

View on NVD All CVEs

CVSS base score

—

What the vulnerability does

Description

Prior to Apache HTTP Server 2.4.55, a malicious backend can cause the response headers to be truncated early, resulting in some headers being incorporated into the response body. If the later headers have any security purpose, they will not be interpreted by the client.

Key dates

Disclosure timeline

January 17, 2023 CVE published

April 4, 2025 Record updated