CVE-2024-38475

What is Apache HTTP Server?

Apache HTTP Server (httpd) is the most widely deployed web server software in the world, serving billions of requests daily across millions of websites. The mod_rewrite module is one of its most commonly used features — it provides URL rewriting and redirection rules that virtually every Apache-based web application relies on. Vulnerabilities in mod_rewrite are consequently high-impact: they affect an enormous install base and can transform a trusted web server into an attacker-controlled gateway to the underlying filesystem. Apache HTTP Server is ubiquitous in government, enterprise, academic, and commercial environments.

Overview

CVE-2024-38475 is an improper escaping of output vulnerability (CWE-116) in the mod_rewrite module of Apache HTTP Server. When mod_rewrite handles URL rewriting with certain configurations, it fails to properly escape special characters in the output, causing it to map attacker-controlled URLs to filesystem locations that the server is permitted to serve but that are not intended to be reachable via any URL. This enables two exploitation paths: (1) source code disclosure — accessing PHP source files, configuration files, or other server-side content that should never be directly readable via HTTP; and (2) code execution — in configurations where the mapped location contains executable content or CGI scripts, triggering execution. CISA added it to the KEV catalog in May 2025, confirming exploitation of servers that remained on 2.4.59 or earlier.

Affected Versions

Technical Details

The improper output escaping (CWE-116) is in mod_rewrite's URL substitution logic. When a RewriteRule directive maps an incoming URL to a backend path, special characters in the URL (particularly null bytes, path separators, or URL-encoded sequences) are not fully normalized before the filesystem lookup. This allows an attacker to construct a URL that, after rewrite processing, resolves to a path outside the intended document root or to a path that bypasses directory access restrictions.

Source code disclosure path:

• On PHP installations, a crafted URL that maps to the .php source file via a path traversal in the rewritten output can cause Apache to serve the raw PHP source rather than executing it — exposing database credentials, API keys, and application logic

Code execution path:

• If mod_rewrite maps to a location containing CGI scripts, server-side includes, or other executable content that the server is configured to execute, an attacker can trigger execution
• Combined with mod_cgi, mod_cgid, or suexec, this becomes RCE

Configuration dependency: The vulnerability requires specific RewriteRule configurations that use backreferences from user-controlled URL components. The most common vulnerable pattern involves rules that insert portions of the request URI into the rewrite target without sufficient escaping.

Discovery

Orange Tsai (DEVCORE Research Team) discovered multiple Apache HTTP Server vulnerabilities in the 2.4.60 release cycle, including CVE-2024-38475. Orange Tsai is known for discovering critical Apache httpd vulnerabilities and presented related research at major security conferences.

Exploitation Context

The 10-month gap between the July 2024 patch and the May 2025 CISA KEV listing reflects the massive Apache httpd install base and the slow patch adoption rate for web server infrastructure. Many organizations run Apache httpd at versions far behind the current release. The CISA KEV listing confirms active exploitation of unpatched servers — source code disclosure is particularly impactful because PHP source files often contain hardcoded database credentials that enable attackers to access application databases without needing to achieve RCE.

Remediation

1. Upgrade to Apache HTTP Server 2.4.60 or later immediately. The CISA deadline was May 22, 2025.
2. Check current version with apache2 -v or httpd -v — if earlier than 2.4.60, the server is vulnerable.
3. Review mod_rewrite configurations in httpd.conf and .htaccess files for RewriteRule directives that include user-controlled URL components in the substitution target — these are the most likely vulnerable patterns.
4. Audit access logs for unusual URL patterns containing encoded special characters (%00, %2F, path traversal sequences) in the URL path that trigger rewrite rules.
5. Enable ModSecurity or equivalent WAF with rules targeting path traversal attempts in rewritten URLs.
6. Remove mod_cgi/mod_cgid if CGI execution is not required — this eliminates the code execution path even if source disclosure remains possible.