CVE-2024-38475
Published: 01 July 2024
Summary
CVE-2024-38475 is a critical-severity Improper Encoding or Escaping of Output (CWE-116) vulnerability in Apache Http Server. Its CVSS base score is 9.1 (Critical).
Operationally, ranked in the top 0.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-15 (Information Output Filtering).
Deeper analysis
CVE-2024-38475 is an improper output escaping flaw in the mod_rewrite module of Apache HTTP Server 2.4.59 and earlier. It occurs when RewriteRule substitutions in server context use backreferences or variables as the first segment, allowing crafted URLs to resolve to filesystem paths that the server is permitted to serve but that were never intended to be directly addressable.
An unauthenticated remote attacker can send specially formed HTTP requests that exploit the mapping behavior to read arbitrary source files or execute code under the server's privileges, corresponding to the observed CVSS 9.1 rating.
Apache's security advisory and the associated patch (commit 9a6157d) recommend upgrading to a corrected release; administrators who must retain affected rules can apply the UnsafePrefixStat flag after verifying that substitutions are properly constrained. NetApp and oss-security postings reiterate the same upgrade guidance.
The EPSS score has remained near its peak value of 0.9394 since disclosure, indicating sustained exploitation interest without a pronounced post-release climb.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-37356
Vulnerability details
Improper escaping of output in mod_rewrite in Apache HTTP Server 2.4.59 and earlier allows an attacker to map URLs to filesystem locations that are permitted to be served by the server but are not intentionally/directly reachable by any URL, resulting…
more
in code execution or source code disclosure. Substitutions in server context that use a backreferences or variables as the first segment of the substitution are affected. Some unsafe RewiteRules will be broken by this change and the rewrite flag "UnsafePrefixStat" can be used to opt back in once ensuring the substitution is appropriately constrained.
- CWE(s)
- KEV Date Added
- 01 May 2025
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Enforces that URL-to-filesystem mappings only permit intentionally exposed resources, directly blocking the unauthorized file/code access enabled by unsafe mod_rewrite substitutions.
Requires filtering/escaping of server-generated output such as RewriteRule substitutions, directly mitigating the CWE-116 improper escaping flaw.
Mandates prompt application of vendor patches that correct the substitution handling logic in mod_rewrite.