CVE-2024-42516
Apache HTTP Server: HTTP response splitting
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
HTTP response splitting in the core of Apache HTTP Server allows an attacker who can manipulate the Content-Type response headers of applications hosted or proxied by the server can split the HTTP response. This vulnerability was described as CVE-2023-38709 but the patch included in Apache HTTP Server 2.4.59 did not address the issue. Users are recommended to upgrade to version 2.4.64, which fixes this issue.
It was discovered that the Apache HTTP Server incorrectly handled certain Content-Type response headers. A remote attacker could possibly use this issue to perform HTTP response splitting attacks. xiaojunjie discovered that the Apache HTTP Server mod_proxy module incorrectly handled certain requests. A remote attacker could possibly use this issue to send outbound proxy requests to an arbitrary URL.
CVSS Scores
SSVC
- Decision:Attend
Timeline
- 2024-08-03 CVE Reserved
- 2025-07-10 CVE Published
- 2025-07-15 CVE Updated
- 2025-07-16 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-20: Improper Input Validation
CAPEC
References (1)
| URL | Tag | Source |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://httpd.apache.org/security/vulnerabilities_24.html | 2025-07-10 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Apache Software Foundation Search vendor "Apache Software Foundation" | Apache HTTP Server Search vendor "Apache Software Foundation" for product "Apache HTTP Server" | >= 2.4.0 <= 2.4.63 Search vendor "Apache Software Foundation" for product "Apache HTTP Server" and version " >= 2.4.0 <= 2.4.63" | en |
Affected
| ||||||