CVE-2024-43204

CVE-2024-43204: Apache HTTP Server: SSRF with mod_headers setting Content-Type header

Vendor Apache Software Foundation

Product Apache HTTP Server

Weakness CWE-918 · SSRF

Published July 10, 2025

Last update November 4, 2025

View on NVD All CVEs

CVSS base score

—

What the vulnerability does

Description

SSRF in Apache HTTP Server with mod_proxy loaded allows an attacker to send outbound proxy requests to a URL controlled by the attacker. Requires an unlikely configuration where mod_headers is configured to modify the Content-Type request or response header with a value provided in the HTTP request. Users are recommended to upgrade to version 2.4.64 which fixes this issue.

Key dates

Disclosure timeline

July 10, 2025 CVE published

November 4, 2025 Record updated