Description

Server-Side Request Forgery (SSRF) in Apache HTTP Server on Windows allows to potentially leak NTLM hashes to a malicious server via  mod_rewrite or apache expressions that pass unvalidated request input. This issue affects Apache HTTP Server: from 2.4.0 through 2.4.63. Note:  The Apache HTTP Server Project will be setting a higher bar for accepting vulnerability reports regarding SSRF via UNC paths. The server offers limited protection against administrators directing the server to open UNC paths. Windows servers should limit the hosts they will connect over via SMB based on the nature of NTLM authentication.

INFO

Published Date :

2025-07-10T16:56:07.720Z

Last Modified :

2025-11-04T21:08:53.876Z

Source :

apache
AFFECTED PRODUCTS

The following products are affected by CVE-2024-43394 vulnerability.

Vendors Products
Apache
  • Apache Http Server
  • Http Server
Microsoft
  • Windows
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2024-43394.

URL Resource
http://www.openwall.com/lists/oss-security/2025/07/10/2 cve-icon
http://www.openwall.com/lists/oss-security/2025/07/10/5 cve-icon
https://httpd.apache.org/security/vulnerabilities_24.html cve-icon cve-icon cve-icon
https://lists.debian.org/debian-lts-announce/2025/08/msg00009.html cve-icon
https://nvd.nist.gov/vuln/detail/CVE-2024-43394 cve-icon
https://www.cve.org/CVERecord?id=CVE-2024-43394 cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact