SSRF in Apache HTTP Server with mod_proxy loaded allows an attacker to send outbound proxy requests to a URL controlled by the attacker.  Requires an unlikely configuration where mod_headers is configured to modify the Content-Type request or response header with a value provided in the HTTP request.

Users are recommended to upgrade to version 2.4.64 which fixes this issue.
Fixes

Solution

No solution given by the vendor.


Workaround

No workaround given by the vendor.

History

Tue, 29 Jul 2025 15:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:apache:http_server:*:*:*:*:*:*:*:*

Wed, 16 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00017}

epss

{'score': 0.00037}


Tue, 15 Jul 2025 20:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N'}


Mon, 14 Jul 2025 12:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N'}

threat_severity

Moderate


Fri, 11 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00017}


Thu, 10 Jul 2025 17:00:00 +0000

Type Values Removed Values Added
Description SSRF in Apache HTTP Server with mod_proxy loaded allows an attacker to send outbound proxy requests to a URL controlled by the attacker.  Requires an unlikely configuration where mod_headers is configured to modify the Content-Type request or response header with a value provided in the HTTP request. Users are recommended to upgrade to version 2.4.64 which fixes this issue.
Title Apache HTTP Server: SSRF with mod_headers setting Content-Type header
Weaknesses CWE-918
References

cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2025-07-15T19:56:45.283Z

Reserved: 2024-08-08T15:13:29.047Z

Link: CVE-2024-43204

cve-icon Vulnrichment

Updated: 2025-07-11T16:07:00.518Z

cve-icon NVD

Status : Analyzed

Published: 2025-07-10T17:15:45.987

Modified: 2025-07-29T15:16:18.623

Link: CVE-2024-43204

cve-icon Redhat

Severity : Moderate

Publid Date: 2025-07-14T07:14:13Z

Links: CVE-2024-43204 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2025-07-12T16:01:32Z