CVE-2024-38476

CVE-2024-38476: Apache HTTP Server may use exploitable/malicious backend application output to run local handlers via internal redirect

Vendor Apache Software Foundation

Product Apache HTTP Server

Weakness CWE-829 · Inclusion from untrusted sphere

Published July 1, 2024

Last update November 3, 2025

View on NVD All CVEs

CVSS base score

—

What the vulnerability does

Description

Vulnerability in core of Apache HTTP Server 2.4.59 and earlier are vulnerably to information disclosure, SSRF or local script execution via backend applications whose response headers are malicious or exploitable. Users are recommended to upgrade to version 2.4.60, which fixes this issue.

Key dates

Disclosure timeline

July 1, 2024 CVE published

November 3, 2025 Record updated