Description
Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability in the mod_proxy_ftp module in Apache HTTP Server with an attacker controlled backend FTP server.

This issue affects undefined: from 2.4.0 through 2.4.67.

Users are recommended to upgrade to version 2.4.68, which fixes the issue.
Published: 2026-06-08
Score: 7.3 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an infinite loop triggered in mod_proxy_ftp's proxy_ftp_handler when the backend FTP server is under attacker control. Because the loop has an unreachable exit condition, each proxy request can consume excessive resources, eventually exhausting CPU and memory and causing the Apache HTTP Server to become unresponsive. The impact is a denial of service that can affect availability for users and applications relying on the server.

Affected Systems

Apache HTTP Server releases from 2.4.0 through 2.4.67 are affected. The issue was fixed in the 2.4.68 release.

Risk and Exploitability

The current EPSS metric is unavailable, but exploitation is achievable remotely by configuring the server to proxy connections to an attacker-controlled FTP server and then sending requests. The loop can be sustained indefinitely, producing a sustained denial of service. The absence of a CISA KEV listing indicates no publicly known exploit activity yet, yet the severity and ease of configuration changes render the risk high. Users should apply the 2.4.68 patch or mitigate through configuration changes.

Generated by OpenCVE AI on June 8, 2026 at 16:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Apache HTTP Server to version 2.4.68 or later to remove the infinite loop in mod_proxy_ftp.
  • If an upgrade cannot be performed immediately, disable mod_proxy_ftp or limit its use to trusted backend FTP servers by configuring ProxyPass directives and applying firewall rules to block unauthorized FTP hosts.
  • Monitor server performance for spikes in CPU usage and enforce resource limits such as MaxRequestWorkers to mitigate the impact of any remaining denial of service attempts.

Generated by OpenCVE AI on June 8, 2026 at 16:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 09 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 08 Jun 2026 23:30:00 +0000

Type Values Removed Values Added
References

Mon, 08 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Apache
Apache apache Http Server
Vendors & Products Apache
Apache apache Http Server

Mon, 08 Jun 2026 15:45:00 +0000

Type Values Removed Values Added
Description Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability in the mod_proxy_ftp module in Apache HTTP Server with an attacker controlled backend FTP server. This issue affects undefined: from 2.4.0 through 2.4.67. Users are recommended to upgrade to version 2.4.68, which fixes the issue.
Title Apache HTTP Server: Loop in `proxy_ftp_handler` in mod_proxy_ftp
Weaknesses CWE-835
References

Subscriptions

Apache Apache Http Server
cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2026-06-09T12:20:10.986Z

Reserved: 2026-05-05T15:00:32.613Z

Link: CVE-2026-44186

cve-icon Vulnrichment

Updated: 2026-06-08T22:32:32.111Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-08T16:16:40.453

Modified: 2026-06-09T01:41:00.563

Link: CVE-2026-44186

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-08T16:30:06Z

Weaknesses