Red Hat Http Server

Large Allocations in Expat <2.7.2 via Small XML (DoS)
CVE-2025-59375 7.5 - High - September 15, 2025

libexpat in Expat before 2.7.2 allows attackers to trigger large dynamic memory allocations via a small document that is submitted for parsing.

Allocation of Resources Without Limits or Throttling

Apache Httpd 2.4.35-2.4.63 mod_ssl TLS1.3 SR Access Ctrl Bypass
CVE-2025-23048 9.1 - Critical - July 10, 2025

In some mod_ssl configurations on Apache HTTP Server 2.4.35 through to 2.4.63, an access control bypass by trusted clients is possible using TLS 1.3 session resumption. Configurations are affected when mod_ssl is configured for multiple virtual hosts, with each restricted to a different set of trusted client certificates (for example with a different SSLCACertificateFile/Path setting). In such a case, a client trusted to access one virtual host may be able to access another virtual host, if SSLStrictSNIVHostCheck is not enabled in either virtual host.

Authorization

Apache HTTP Server 2.4.63 & earlier mod_ssl: HTTP Desync via TLS Upgrade
CVE-2025-49812 7.4 - High - July 10, 2025

In some mod_ssl configurations on Apache HTTP Server versions through to 2.4.63, an HTTP desynchronisation attack allows a man-in-the-middle attacker to hijack an HTTP session via a TLS upgrade. Only configurations using "SSLEngine optional" to enable TLS upgrades are affected. Users are recommended to upgrade to version 2.4.64, which removes support for TLS upgrade.

authentification

Apache HTTP Server 2.4.x: mod_proxy_http2 assertion triggers DoS via proxy
CVE-2025-49630 7.5 - High - July 10, 2025

In certain proxy configurations, a denial of service attack against Apache HTTP Server versions 2.4.26 through to 2.4.63 can be triggered by untrusted clients causing an assertion in mod_proxy_http2. Configurations affected are a reverse proxy is configured for an HTTP/2 backend, with ProxyPreserveHost set to "on".

assertion failure

Apache HTTP Server 2.4.63 mod_ssl log injection via unsanitized SSL var
CVE-2024-47252 7.5 - High - July 10, 2025

Insufficient escaping of user-supplied data in mod_ssl in Apache HTTP Server 2.4.63 and earlier allows an untrusted SSL/TLS client to insert escape characters into log files in some configurations. In a logging configuration where CustomLog is used with "%{varname}x" or "%{varname}c" to log variables provided by mod_ssl such as SSL_TLS_SNI, no escaping is performed by either mod_log_config or mod_ssl and unsanitized data provided by the client may appear in log files.

Improper Neutralization of Escape, Meta, or Control Sequences

Memory Corruption in libxml2 via sch:name -> DoS
CVE-2025-49796 9.1 - Critical - June 16, 2025

A vulnerability was found in libxml2. Processing certain sch:name elements from the input XML file can trigger a memory corruption issue. This flaw allows an attacker to craft a malicious XML input file that can lead libxml to crash, resulting in a denial of service or other possible undefined behavior due to sensitive data being corrupted in memory.

Out-of-bounds Read

libxml2 NULL ptr deref via XPath causes DoS
CVE-2025-49795 7.5 - High - June 16, 2025

A NULL pointer dereference vulnerability was found in libxml2 when processing XPath XML expressions. This flaw allows an attacker to craft a malicious XML input to libxml2, leading to a denial of service.

Dangling pointer

UAF in libxml2 XPath Parsing via sch:name Path (CVE-2025-49794)
CVE-2025-49794 9.1 - Critical - June 16, 2025

A use-after-free vulnerability was found in libxml2. This issue occurs when parsing XPath elements under certain circumstances when the XML schematron has the <sch:name path="..."/> schema elements. This flaw allows a malicious actor to craft a malicious XML document used as input for libxml, resulting in the program's crash using libxml or other possible undefined behaviors.

Dangling pointer

Stack Overflow in libxml2 xmlBuildQName (CVE-2025-6021)
CVE-2025-6021 7.5 - High - June 12, 2025

A flaw was found in libxml2's xmlBuildQName function, where integer overflows in buffer size calculations can lead to a stack-based buffer overflow. This issue can result in memory corruption or a denial of service when processing crafted input.

Integer Overflow or Wraparound

ModSecurity 2.9.8 Denial of Service via JSON sanitiseMatchedBytes rule
CVE-2025-47947 - May 21, 2025

ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. Versions up to and including 2.9.8 are vulnerable to denial of service in one special case (in stable released versions): when the payload's content type is `application/json`, and there is at least one rule which does a `sanitiseMatchedBytes` action. A patch is available at pull request 3389 and expected to be part of version 2.9.9. No known workarounds are available.

Excessive Platform Resource Consumption within a Loop

libxml2 <2.13.8/2.14.2: heap under-read in xmlSchemaIDCFillNodeTables
CVE-2025-32415 2.9 - Low - April 17, 2025

In libxml2 before 2.13.8 and 2.14.x before 2.14.2, xmlSchemaIDCFillNodeTables in xmlschemas.c has a heap-based buffer under-read. To exploit this, a crafted XML document must be validated against an XML schema with certain identity constraints, or a crafted XML schema must be used.

Improper Validation of Specified Quantity in Input

OOB Mem Access in libxml2 Python API before 2.13.8 & 2.14.2
CVE-2025-32414 5.6 - Medium - April 08, 2025

In libxml2 before 2.13.8 and 2.14.x before 2.14.2, out-of-bounds memory access can occur in the Python API (Python bindings) because of an incorrect return value. This occurs in xmlPythonFileRead and xmlPythonFileReadRaw because of a difference between bytes and characters.

Return of Wrong Status Code

DoS via Stack Overflow in libexpat Recursive Entity Expansion
CVE-2024-8176 7.5 - High - March 14, 2025

A stack overflow vulnerability exists in the libexpat library due to the way it handles recursive entity expansion in XML documents. When parsing an XML document with deeply nested entity references, libexpat can be forced to recurse indefinitely, exhausting the stack space and causing a crash. This issue could lead to denial of service (DoS) or, in some cases, exploitable memory corruption, depending on the environment and library usage.

Stack Exhaustion

SSRF via mod_rewrite in Apache HTTP Server on Windows (pre-2.4.62)
CVE-2024-40898 7.5 - High - July 18, 2024

SSRF in Apache HTTP Server on Windows with mod_rewrite in server/vhost context, allows to potentially leak NTML hashes to a malicious server via SSRF and malicious requests. Users are recommended to upgrade to version 2.4.62 which fixes this issue. 

SSRF

Apache HTTP Server 2.4.59 mod_rewrite RCE (CVE-2024-38474)
CVE-2024-38474 9.8 - Critical - July 01, 2024

Substitution encoding issue in mod_rewrite in Apache HTTP Server 2.4.59 and earlier allows attacker to execute scripts in directories permitted by the configuration but not directly reachable by any URL or source disclosure of scripts meant to only to be executed as CGI. Users are recommended to upgrade to version 2.4.60, which fixes this issue. Some RewriteRules that capture and substitute unsafely will now fail unless rewrite flag "UnsafeAllow3F" is specified.

Output Sanitization

Apache HTTP Server mod_rewrite SSRF before 2.4.60 via mod_proxy
CVE-2024-39573 7.5 - High - July 01, 2024

Potential SSRF in mod_rewrite in Apache HTTP Server 2.4.59 and earlier allows an attacker to cause unsafe RewriteRules to unexpectedly setup URL's to be handled by mod_proxy. Users are recommended to upgrade to version 2.4.60, which fixes this issue.

Improper Input Validation

Apache HTTP Server 2.4.59 and earlier: mod_rewrite Improper Escaping Bypass
CVE-2024-38475 9.1 - Critical - July 01, 2024

Improper escaping of output in mod_rewrite in Apache HTTP Server 2.4.59 and earlier allows an attacker to map URLs to filesystem locations that are permitted to be served by the server but are not intentionally/directly reachable by any URL, resulting in code execution or source code disclosure. Substitutions in server context that use a backreferences or variables as the first segment of the substitution are affected.  Some unsafe RewiteRules will be broken by this change and the rewrite flag "UnsafePrefixStat" can be used to opt back in once ensuring the substitution is appropriately constrained.

Output Sanitization

Apache HTTP Server 2.4.59 Info Disclosure/SSRF via Malicious Response Headers
CVE-2024-38476 9.8 - Critical - July 01, 2024

Vulnerability in core of Apache HTTP Server 2.4.59 and earlier are vulnerably to information disclosure, SSRF or local script execution via backend applications whose response headers are malicious or exploitable. Users are recommended to upgrade to version 2.4.60, which fixes this issue.

Inclusion of Functionality from Untrusted Control Sphere

Apache 2.4.59 mod_proxy URL Encoding Flaw Auth Bypass
CVE-2024-38473 - July 01, 2024

Encoding problem in mod_proxy in Apache HTTP Server 2.4.59 and earlier allows request URLs with incorrect encoding to be sent to backend services, potentially bypassing authentication via crafted requests. Users are recommended to upgrade to version 2.4.60, which fixes this issue.

Output Sanitization

Apache HTTP Server 2.4.59 NPE in mod_proxy Crash (Upgrade to 2.4.60)
CVE-2024-38477 7.5 - High - July 01, 2024

null pointer dereference in mod_proxy in Apache HTTP Server 2.4.59 and earlier allows an attacker to crash the server via a malicious request. Users are recommended to upgrade to version 2.4.60, which fixes this issue.

NULL Pointer Dereference

Apache HTTP Server <2.4.60 SSRF on Windows leaks NTLM Hashes
CVE-2024-38472 - July 01, 2024

SSRF in Apache HTTP Server on Windows allows to potentially leak NTLM hashes to a malicious server via SSRF and malicious requests or content Users are recommended to upgrade to version 2.4.60 which fixes this issue.  Note: Existing configurations that access UNC paths will have to configure new directive "UNCList" to allow access during request processing.

Apache HTTP Server Response Splitting via Faulty Input Validation < 2.4.58
CVE-2023-38709 7.3 - High - April 04, 2024

Faulty input validation in the core of Apache allows malicious or exploitable backend/content generators to split HTTP responses. This issue affects Apache HTTP Server: through 2.4.58.

Improper Validation of Specified Quantity in Input