CVE-2021-42013

What is Apache HTTP Server?

Apache HTTP Server is one of the most widely deployed web servers in the world, powering a significant fraction of internet-accessible websites and internal applications. The 2.4.x branch is the current stable release series. Path traversal vulnerabilities in Apache allow attackers to read files outside the web server's configured document root — and when CGI is enabled, they can achieve remote code execution.

Overview

CVE-2021-42013 is a critical path traversal vulnerability (CWE-22) in Apache HTTP Server 2.4.49 and 2.4.50. The vulnerability is an incomplete fix for CVE-2021-41773 — the patch in Apache 2.4.50 failed to fully address the URL normalization bypass. An attacker can use additional URL encoding patterns (e.g., double-encoding or alternate percent-encoding sequences) to traverse outside the document root and read arbitrary files, or, if CGI scripts are enabled, execute arbitrary OS commands as the web server user. Apache 2.4.51 fully fixes both CVEs. Mass exploitation began the same day CVE-2021-42013 was disclosed.

Affected Versions

Technical Details

Apache HTTP Server 2.4.49 introduced a change in URL normalization that created a path traversal bypass. The 2.4.50 fix addressed some encoding patterns but not all — specifically, additional URL encoding characters (e.g., %%32%65 or .%2e) could still bypass the normalization check:

• Root cause: Incomplete URL normalization in the path handling code — certain percent-encoded representations of . and / characters were not properly decoded before path traversal checks
• Exploit patterns: GET /cgi-bin/.%2e/.%2e/.%2e/.%2e/etc/passwd HTTP/1.1 or variations using double-encoding bypass the directory escape check
• Path traversal: Allows reading any file the web server process has read access to (e.g., /etc/passwd, application configuration files, private keys)
• RCE condition: Remote code execution requires mod_cgi or mod_cgid to be enabled AND the traversed path to reach a CGI-executable directory
• Mass exploitation: Attackers scanned for vulnerable Apache 2.4.49/2.4.50 instances starting the day the CVE was published, deploying webshells and cryptominers

Discovery

Security researchers at Ash Daulton and others identified the incomplete fix in Apache 2.4.50 within days of that release. Apache responded with 2.4.51 on October 7 — the same day CVE-2021-42013 was published — demonstrating an exceptionally fast patch turnaround.

Exploitation Context

CVE-2021-42013 (and its predecessor CVE-2021-41773) saw immediate, widespread exploitation. Within 24 hours of public disclosure, internet-scale scanning for Apache 2.4.49 and 2.4.50 servers was underway, with exploitation including file read, webshell deployment, and cryptominer installation. Ransomware operators also incorporated this into their initial access toolkit, given the large number of vulnerable internet-facing Apache servers.

Remediation

1. Upgrade to Apache HTTP Server 2.4.51 or later immediately — this fully fixes both CVE-2021-41773 and CVE-2021-42013
2. Verify the Apache version in use: apache2 -v or httpd -v
3. If CGI is not required, disable mod_cgi and mod_cgid to limit RCE impact even on older versions
4. Ensure Require all denied is set for directories not intended to be web-accessible — this limits path traversal impact
5. Review web server access logs for path traversal attempts (/.%2e/, /%%32%65/, /../ patterns)
6. Check for unexpected files written to the server's CGI directories or document root