New Release – Apache HTTP Server 2.4.64 Fixes 8 Critical Vulnerabilities

The Apache Software Foundation has released Apache HTTP Server 2.4.64 on July 10, 2025, addressing eight significant security vulnerabilities that affected versions spanning from 2.4.0 through 2.4.63.

This critical update resolves multiple attack vectors, including HTTP response splitting, server-side request forgery (SSRF), and denial-of-service vulnerabilities that could potentially compromise web server security and integrity.

Critical HTTP Response Splitting and SSRF Vulnerabilities Addressed

The most notable fix addresses CVE-2024-42516, a moderate-severity HTTP response splitting vulnerability in the core Apache HTTP Server.

This flaw allows attackers who can manipulate Content-Type response headers to split HTTP responses, potentially leading to cache poisoning and session hijacking attacks.

Notably, this vulnerability was initially identified as CVE-2023-38709; however, the patch included in Apache HTTP Server 2.4.59 failed to address the issue, necessitating a complete fix.

Two distinct SSRF vulnerabilities have also been resolved. CVE-2024-43204 affects configurations where mod_headers modifies Content-Type headers with user-provided values, enabling attackers to send outbound proxy requests to attacker-controlled URLs.

Additionally, CVE-2024-43394 specifically targets Windows deployments, where SSRF attacks through UNC paths could potentially leak NTLM hashes to malicious servers via mod_rewrite or Apache expressions processing unvalidated request input.

SSL/TLS Security Enhancements and DoS Protections

The release includes significant improvements in SSL/TLS security. CVE-2025-23048 addresses an access control bypass vulnerability in mod_ssl configurations that utilize multiple virtual hosts with distinct trusted client certificate sets.

This flaw could allow clients trusted for one virtual host to access another virtual host when SSLStrictSNIVHostCheck is not enabled.

A significant change involves CVE-2025-49812, where Apache has completely removed support for TLS upgrade functionality to prevent HTTP desynchronization attacks.

This vulnerability specifically affected configurations using “SSLEngine optional” to enable TLS upgrades, allowing man-in-the-middle attackers to hijack HTTP sessions.

The update also resolves two denial-of-service vulnerabilities: CVE-2025-49630 in mod_proxy_http2 affecting reverse proxy configurations with HTTP/2 backends, and CVE-2025-53020, which addresses memory management issues in HTTP/2 implementations that could be exploited for DoS attacks.

Deployment Recommendations

Apache strongly recommends an immediate upgrade to version 2.4.64 for all production deployments. The vulnerability timeline shows several issues were reported as recently as June 2025, indicating active security research and potential ongoing threats.

System administrators should prioritize this update, especially for Windows-based deployments and configurations that utilize SSL/TLS with multiple virtual hosts or proxy configurations.

This release continues Apache’s commitment to proactive security maintenance, with fixes addressing vulnerabilities spanning nearly four years of previous releases, from 2.4.0 through 2.4.63.