Apache Software Foundation released Apache HTTP Server 2.4.64 on July 10, 2025, addressing multiple critical security vulnerabilities that have affected web servers worldwide.
This latest update resolves eight major security flaws, including HTTP response splitting attacks, server-side request forgery (SSRF) vulnerabilities, and denial-of-service exploits that could compromise web server security and stability.
The comprehensive security update comes as organizations increasingly rely on Apache HTTP Server, which powers approximately 23% of all active websites globally.
Security researchers have identified 23 new vulnerabilities in 2024 and 2025 alone, highlighting the ongoing challenges in maintaining web server security in an evolving threat landscape.
Critical Security Flaws Resolved in Version 2.4.64
The most significant vulnerability addressed in this release is CVE-2024-42516, which enables HTTP response splitting attacks.
This moderate-severity flaw allows attackers who can manipulate Content-Type response headers to split HTTP responses, potentially leading to cache poisoning and request smuggling attacks.
The vulnerability was initially described as CVE-2023-38709, but the previous patch in Apache HTTP Server 2.4.59 failed to adequately address the underlying issue.
Multiple Server-Side Request Forgery (SSRF) vulnerabilities have also been patched, including CVE-2024-43204 and CVE-2024-43394.
The latter specifically affects Windows installations and could allow attackers to potentially leak NTLM hashes to malicious servers through UNC path exploitation.
These SSRF vulnerabilities pose significant risks in enterprise environments where Apache servers interact with internal network resources.
The release also addresses CVE-2025-23048, a mod_ssl access control bypass vulnerability that affects TLS 1.3 session resumption.
This moderate-severity flaw could allow trusted clients to bypass configured access controls in multi-virtual host environments, potentially granting unauthorized access to protected resources.
Denial-of-Service and Memory Management Fixes
Apache HTTP Server 2.4.64 resolves several denial-of-service vulnerabilities that could impact server availability.
CVE-2025-53020 addresses a memory management issue in HTTP/2 connections where memory resources were not properly released, potentially leading to memory exhaustion attacks.
| CVE | Description | Severity |
| CVE-2024-42516 | HTTP response splitting | Moderate |
| CVE-2024-43204 | SSRF with mod_headers setting Content-Type header | Low |
| CVE-2024-43394 | SSRF on Windows due to UNC paths | Moderate |
| CVE-2024-47252 | Insufficient escaping of user-supplied data in mod_ssl | Low |
| CVE-2025-23048 | mod_ssl access control bypass with session resumption | Moderate |
| CVE-2025-49630 | mod_proxy_http2 denial of service attack | Low |
| CVE-2025-49812 | mod_ssl TLS upgrade attack allowing HTTP session hijacking via man-in-the-middle attacks | Moderate |
| CVE-2025-53020 | HTTP/2 DoS by memory increase | Moderate |
The vulnerability affects versions 2.4.17 through 2.4.63 and could be exploited to cause server crashes or resource starvation.
Another significant fix addresses CVE-2025-49630, a denial-of-service vulnerability in mod_proxy_http2 that could be triggered by untrusted clients sending specially crafted PING requests.
This vulnerability affects reverse proxy configurations with HTTP/2 backends and ProxyPreserveHost set to “on,” potentially causing server process crashes.
The update also resolves CVE-2025-49812, which removes support for TLS upgrade functionality due to security concerns.
This moderate-severity vulnerability could allow man-in-the-middle attackers to perform HTTP desynchronization attacks and hijack HTTP sessions during TLS upgrades.
Widespread Impact and Urgent Upgrade Recommendations
The vulnerabilities addressed in Apache HTTP Server 2.4.64 present significant security risks across multiple dimensions:
- Affected versions: All Apache HTTP Server versions from 2.4.0 through 2.4.63 are vulnerable, representing nearly a decade of installations worldwide
- Security risks: Organizations running older versions face potential exploitation for unauthorized access, data theft, and service disruption
- Scale of impact: The vulnerabilities affect millions of web servers globally, making this one of the most widespread security updates in recent years
Security experts emphasize the critical nature of this update, particularly for organizations handling sensitive data or operating in regulated industries.
The combination of SSRF vulnerabilities, access control bypasses, and denial-of-service exploits creates a perfect storm for potential security breaches.
The Apache HTTP Server Project has documented 141 total vulnerabilities across all 2.4.x versions, with 19 discovered in 2024 and 4 additional vulnerabilities identified in 2025.
This trend indicates the continuing importance of regular security updates and proactive vulnerability management for web server infrastructure.
System administrators are strongly advised to upgrade to Apache HTTP Server 2.4.64 immediately to protect against these security vulnerabilities.
Organizations should also review their Apache configurations, particularly those involving proxy settings, SSL/TLS configurations, and access controls, to ensure proper security implementation following the upgrade.
Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant updates
