AI description
CVE-2024-40725 is a vulnerability affecting Apache HTTP Server versions 2.4.0 to 2.4.61. It involves the `mod_proxy` module, where enabling the `ProxyPass` directive with specific URL rewrite rules can lead to HTTP Request Smuggling attacks. This can occur when the proxy and backend servers parse HTTP requests inconsistently. The vulnerability can result in unauthorized access, data exposure, and session hijacking, potentially leading to data theft or manipulation. In some cases, "AddType" configurations may result in source code disclosure of local content, such as PHP scripts being served instead of interpreted. Users are recommended to upgrade to version 2.4.62 to address this issue.
- Description
- A partial fix for CVE-2024-39884 in the core of Apache HTTP Server 2.4.61 ignores some use of the legacy content-type based configuration of handlers. "AddType" and similar configuration, under some circumstances where files are requested indirectly, result in source code disclosure of local content. For example, PHP scripts may be served instead of interpreted. Users are recommended to upgrade to version 2.4.62, which fixes this issue.
- Source
- security@apache.org
- NVD status
- Modified
- Products
- http_server
CVSS 3.1
- Type
- Primary
- Base score
- 5.3
- Impact score
- 1.4
- Exploitability score
- 3.9
- Vector string
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
- Severity
- MEDIUM
- security@apache.org
- CWE-668
- nvd@nist.gov
- NVD-CWE-noinfo
Hype score is a measure of social media activity compared against trending CVEs from the past 12 months. Max score 100.
- Hype score
24
🚨CVE-2024-40725: Apache 2.4.0/2.4.61 HTTP Request Smuggling... Using Custom Nuclei Template CVSS: 5.3 PoC: https://t.co/kPMseM0Siu Via: https://t.co/fo2Ov5guJc https://t.co/utrPu7Nwf2
@DarkWebInformer
16 Aug 2025
12163 Impressions
52 Retweets
230 Likes
155 Bookmarks
0 Replies
0 Quotes
Arcserve UDP に同梱される、Apache HTTP Server の脆弱性 (CVE-2024-40898/CVE-2024-40725) 対応パッチが公開されました。Arcserve UDP 9.2 以前をご利用の方は適用をご検討ください。 P00003206 | Arcserve UDP 9.x | Patch for Apache httpd Vulnerabilities https://t.co/4EtoSZvbqW
@Arcserve_jp
19 Jan 2025
71 Impressions
0 Retweets
1 Like
0 Bookmarks
1 Reply
0 Quotes
بچه ها هر هفته CVE های مختلف رو exploit میکنم این هفته به برسی CVE-2024-40725 که یک HTTP Request Smuggling روی Apache HTTPD پرداختیم . https://t.co/iweXHuIu1q
@soltanali0
18 Dec 2024
235 Impressions
0 Retweets
10 Likes
4 Bookmarks
0 Replies
0 Quotes
GitHub - soltanali0/CVE-2024-40725: exploit CVE-2024-40725 (Apache httpd) with https://t.co/oWK1lyNlHc
@akaclandestine
18 Dec 2024
6466 Impressions
26 Retweets
117 Likes
45 Bookmarks
2 Replies
1 Quote
[
{
"nodes": [
{
"negate": false,
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:http_server:2.4.60:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "3B948936-6007-4436-AF16-CCE8F59E0C29"
},
{
"criteria": "cpe:2.3:a:apache:http_server:2.4.61:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "DA1CBE0F-AE94-4412-B8AB-8D6FC8698B86"
}
],
"operator": "OR"
}
]
}
]