CVE-2021-41773

What is Apache HTTP Server?

Apache HTTP Server is one of the oldest and most widely deployed web servers in the world, powering a significant fraction of internet-accessible websites and internal applications. Version 2.4.49 introduced a change to URL normalization that inadvertently created a path traversal vulnerability — and mass exploitation began within hours of public disclosure.

Overview

CVE-2021-41773 is a critical path traversal vulnerability (CWE-22) introduced in Apache HTTP Server 2.4.49. A change to the URL path normalization code in 2.4.49 broke existing path traversal protections, allowing an unauthenticated attacker to use percent-encoded path sequences (e.g., %2e%2e) to traverse outside the web server's document root and read arbitrary files. If CGI scripts are enabled, the path traversal can be used for remote code execution. Apache released 2.4.50 on the same day as the CVE, but that fix was incomplete — see CVE-2021-42013 for the bypass. Apache 2.4.51 fully resolves both issues.

Affected Versions

Technical Details

Apache 2.4.49 introduced a code change to the URL path normalization routine. The change inadvertently allowed percent-encoded dot sequences to bypass directory traversal protections:

• Vulnerable pattern: GET /cgi-bin/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd HTTP/1.1
• Path traversal: The percent-encoded .. sequences traverse outside the web root to any file readable by the Apache process
• RCE condition: If mod_cgi or mod_cgid is enabled, the attacker can traverse to a CGI-executable path and execute arbitrary commands — or use an explicit POST to inject shell commands via CGI
• No authentication required: The path traversal is reachable pre-authentication
• Mass exploitation: Publicly released PoC exploits drove immediate internet-wide scanning starting October 5, 2021 — within hours of CVE publication

Discovery

Discovered by Ash Daulton and the cPanel Security Team during auditing of Apache 2.4.49's changes. The same day as the CVE (October 4-5, 2021), Apache released 2.4.50 with a fix — but the fix proved incomplete, leading to CVE-2021-42013 three days later.

Exploitation Context

CVE-2021-41773 was one of the most rapidly exploited vulnerabilities of 2021. Within 24 hours of the public PoC, internet-wide scanning for Apache 2.4.49 was occurring at scale. Attackers deployed webshells, cryptocurrency miners, and in some cases ransomware on vulnerable servers. The vulnerability only affected the single Apache 2.4.49 release — organizations that upgraded directly to 2.4.51 bypassed both this CVE and CVE-2021-42013.

Remediation

1. Upgrade to Apache HTTP Server 2.4.51 or later — this fixes both CVE-2021-41773 and CVE-2021-42013
2. Check current Apache version: apache2 -v or httpd -v
3. If CGI is not required, disable mod_cgi and mod_cgid as defense-in-depth
4. Ensure Require all denied is set for directories not served by Apache
5. Review Apache access logs for %2e%2e or %%32%65 path patterns indicating traversal attempts
6. If running Apache 2.4.49 or 2.4.50, treat the server as potentially compromised — check for unexpected files in CGI directories and document root