Cyber Resilience

CVE-2024-38475

CriticalCISA KEVActive ExploitationEUVD Exploited

Published: 01 July 2024

Published
01 July 2024
Modified
17 November 2025
KEV Added
01 May 2025
Patch
CVSS Score v3.1 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
EPSS Score 0.9386 99.9th percentile
Risk Priority 95 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-38475 is a critical-severity Improper Encoding or Escaping of Output (CWE-116) vulnerability in Apache Http Server. Its CVSS base score is 9.1 (Critical).

Operationally, ranked in the top 0.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-15 (Information Output Filtering).

Deeper analysis

CVE-2024-38475 is an improper output escaping flaw in the mod_rewrite module of Apache HTTP Server 2.4.59 and earlier. It occurs when RewriteRule substitutions in server context use backreferences or variables as the first segment, allowing crafted URLs to resolve to filesystem paths that the server is permitted to serve but that were never intended to be directly addressable.

An unauthenticated remote attacker can send specially formed HTTP requests that exploit the mapping behavior to read arbitrary source files or execute code under the server's privileges, corresponding to the observed CVSS 9.1 rating.

Apache's security advisory and the associated patch (commit 9a6157d) recommend upgrading to a corrected release; administrators who must retain affected rules can apply the UnsafePrefixStat flag after verifying that substitutions are properly constrained. NetApp and oss-security postings reiterate the same upgrade guidance.

The EPSS score has remained near its peak value of 0.9394 since disclosure, indicating sustained exploitation interest without a pronounced post-release climb.

EU & UK References

Vulnerability details

Improper escaping of output in mod_rewrite in Apache HTTP Server 2.4.59 and earlier allows an attacker to map URLs to filesystem locations that are permitted to be served by the server but are not intentionally/directly reachable by any URL, resulting…

more

in code execution or source code disclosure. Substitutions in server context that use a backreferences or variables as the first segment of the substitution are affected. Some unsafe RewiteRules will be broken by this change and the rewrite flag "UnsafePrefixStat" can be used to opt back in once ensuring the substitution is appropriately constrained.

CWE(s)
KEV Date Added
01 May 2025

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

apache
http server
2.4.0 — 2.4.60
netapp
ontap 9
all versions
sonicwall
sma 200 firmware
≤ 10.2.1.14-75sv
sonicwall
sma 210 firmware
≤ 10.2.1.14-75sv
sonicwall
sma 400 firmware
≤ 10.2.1.14-75sv
sonicwall
sma 410 firmware
≤ 10.2.1.14-75sv
sonicwall
sma 500v firmware
≤ 10.2.1.14-75sv

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces that URL-to-filesystem mappings only permit intentionally exposed resources, directly blocking the unauthorized file/code access enabled by unsafe mod_rewrite substitutions.

prevent

Requires filtering/escaping of server-generated output such as RewriteRule substitutions, directly mitigating the CWE-116 improper escaping flaw.

prevent

Mandates prompt application of vendor patches that correct the substitution handling logic in mod_rewrite.

References