CVE-2025-59775

CVE-2025-59775: Apache HTTP Server: NTLM Leakage on Windows through UNC SSRF

Vendor Apache Software Foundation

Product Apache HTTP Server

Weakness CWE-918 · SSRF

Published December 5, 2025

Last update December 5, 2025

View on NVD All CVEs

CVSS base score

—

What the vulnerability does

Description

Server-Side Request Forgery (SSRF) vulnerability in Apache HTTP Server on Windows with AllowEncodedSlashes On and MergeSlashes Off allows to potentially leak NTLM hashes to a malicious server via SSRF and malicious requests or content Users are recommended to upgrade to version 2.4.66, which fixes the issue.

Key dates

Disclosure timeline

December 5, 2025 CVE published

December 5, 2025 Record updated