Unrated severityNVD Advisory· Published Jul 10, 2025· Updated Nov 4, 2025
Apache HTTP Server: SSRF on Windows due to UNC paths
CVE-2024-43394
Description
Server-Side Request Forgery (SSRF) in Apache HTTP Server on Windows allows to potentially leak NTLM hashes to a malicious server via mod_rewrite or apache expressions that pass unvalidated request input.
This issue affects Apache HTTP Server: from 2.4.0 through 2.4.63.
Note: The Apache HTTP Server Project will be setting a higher bar for accepting vulnerability reports regarding SSRF via UNC paths.
The server offers limited protection against administrators directing the server to open UNC paths. Windows servers should limit the hosts they will connect over via SMB based on the nature of NTLM authentication.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
42.4.0 - 2.4.63+ 1 more
- (no CPE)range: 2.4.0 - 2.4.63
- (no CPE)range: 2.4.0
- osv-coords2 versions
>= 2.4.0, < 2.4.64+ 1 more
- (no CPE)range: >= 2.4.0, < 2.4.64
- (no CPE)range: < 2.4.64-1.1
Patches
Vulnerability mechanics
References
1- httpd.apache.org/security/vulnerabilities_24.htmlmitrevendor-advisory
News mentions
0No linked articles in our index yet.