CVE-2024-38475 in HTTP Server
Summary
by MITRE • 07/01/2024
Improper escaping of output in mod_rewrite in Apache HTTP Server 2.4.59 and earlier allows an attacker to map URLs to filesystem locations that are permitted to be served by the server but are not intentionally/directly reachable by any URL, resulting in code execution or source code disclosure.
Substitutions in server context that use a backreferences or variables as the first segment of the substitution are affected. Some unsafe RewiteRules will be broken by this change and the rewrite flag "UnsafePrefixStat" can be used to opt back in once ensuring the substitution is appropriately constrained.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 01/04/2026
The vulnerability identified as CVE-2024-38475 represents a critical security flaw in the Apache HTTP Server's mod_rewrite module affecting versions 2.4.59 and earlier. This issue stems from improper escaping of output within the rewrite engine, creating a path traversal condition that allows attackers to manipulate URL mappings to access filesystem locations that should remain protected. The vulnerability specifically targets server contexts where backreferences or variables are used as the first segment of substitution operations, fundamentally compromising the server's access control mechanisms. The flaw enables attackers to bypass intended URL-to-filesystem mappings and potentially execute arbitrary code or disclose sensitive source code, making it particularly dangerous for web applications hosted on affected servers.
The technical exploitation of this vulnerability occurs through carefully crafted rewrite rules that leverage backreferences or server variables in the substitution portion of rewrite operations. When these elements are positioned as the first segment of a substitution, the improper escaping allows malicious input to be interpreted as filesystem paths rather than intended URL segments. This creates a scenario where an attacker can construct rewrite rules that map seemingly innocuous URLs to sensitive server directories, potentially enabling access to configuration files, application source code, or other protected resources. The vulnerability is classified under CWE-22 as Path Traversal and also relates to CWE-74 as Improper Neutralization of Special Elements in Output Used by a Downstream Component, highlighting the dual nature of the flaw involving both path manipulation and output handling.
The operational impact of CVE-2024-38475 extends beyond simple information disclosure to include potential code execution capabilities that could compromise entire server infrastructures. Attackers leveraging this vulnerability can gain unauthorized access to sensitive files, potentially including database credentials, application source code, and server configuration files that contain authentication secrets. The vulnerability affects the core functionality of Apache's URL rewriting system, which is extensively used across web applications for various purposes including SEO optimization, application routing, and access control. Organizations running affected Apache versions face significant risk as this flaw can be exploited without requiring elevated privileges, making it particularly attractive to threat actors targeting web applications and infrastructure components. The security implications align with ATT&CK technique T1059.007 for Command and Scripting Interpreter and T1566.001 for Phishing, as exploitation often involves crafting malicious requests that can lead to remote code execution.
Mitigation strategies for CVE-2024-38475 primarily involve upgrading to Apache HTTP Server version 2.4.60 or later, where the improper escaping has been addressed through enhanced input validation and output sanitization. Organizations should also review existing rewrite rules to identify and remediate any configurations that use backreferences or variables in the first segment of substitutions, implementing proper input validation and sanitization measures. The introduction of the "UnsafePrefixStat" rewrite flag provides a temporary workaround for configurations that require the affected behavior, though this should only be used after thorough validation and constraint implementation. Security teams should conduct comprehensive audits of all mod_rewrite configurations, particularly focusing on any rules that involve server variables or backreferences, and implement monitoring solutions to detect anomalous rewrite patterns that might indicate exploitation attempts. Additionally, implementing proper access controls, regular security assessments, and maintaining up-to-date security patches remains essential for protecting against similar vulnerabilities in the Apache HTTP Server ecosystem.