Apache HTTP Server-Side Request Forgery (SSRF)

A crafted request uri-path can cause mod_proxy to forward the request to an origin server choosen by the remote user. This issue affects Apache HTTP Server 2.4.48 and earlier.

Published Sep 16, 2021 · Updated May 16, 2026

Why patchRisk explained in plain English

Worst-case scenarioIf unpatched

A remote attacker, without authentication, can achieve full data confidentiality loss, arbitrary modification of data, complete denial of service or system unavailability. Federal agencies are required to remediate by 2021-12-15 under CISA BOD 22-01.

How the attack worksNo clicks needed

This is a Server-Side Request Forgery (SSRF) (CWE-918) vulnerability in Apache Apache. A crafted request uri-path can cause mod_proxy to forward the request to an origin server choosen by the remote user. This issue affects Apache HTTP Server 2.4.48 and earlier. Exploitation requires remote network access, higher attack complexity, no authentication required, and no user interaction required.

📧

Phishing link

→

🖼

Malicious file

🔓

Server compromised

Am I affected?Quick check

Probably yes if any of these apply:

●IT Security

●Running rocky linux: 8.0; enterprise linux: 8.0; enterprise linux eus: 8.1, 8.2, 8.4, 8.6, 8.8; enterprise linux for arm 64: 8.0; enterprise linux for arm 64 eus: 8.6, 8.8; enterprise linux for ibm z systems: 7.0_s390x, 8.0; enterprise linux for ibm z systems eus: 8.1, 8.4, 8.8; enterprise linux for ibm z systems eus s390x: 8.2; enterprise linux for power big endian: 7.0; enterprise linux for power little endian: 7.0, 8.0; enterprise linux for power little endian eus: 8.1, 8.2, 8.4, 8.6, 8.8; enterprise linux for scientific computing: 7.0; enterprise linux server: 7.0; enterprise linux server aus: 7.2, 7.3, 7.4, 7.6, 7.7, 8.2, 8.4, 8.6; enterprise linux server for power little endian update services for sap solutions: 7.6, 7.7, 8.1, 8.2, 8.4, 8.6, 8.8; enterprise linux server tus: 7.6, 7.7, 8.2, 8.4, 8.6, 8.8; enterprise linux server update services for sap solutions: 7.6, 7.7; enterprise linux update services for sap solutions: 8.1, 8.2, 8.4, 8.6, 8.8; enterprise linux workstation: 7.0; jboss core services: 1.0; software collections: 1.0; http server: v ≤ 2.4.48; fedora: 34, 35; debian linux: 9.0, 10.0, 11.0; cloud backup: -; clustered data ontap: -; storagegrid: -; brocade fabric operating system firmware: -; f5os: 1.1.0 ≤ v ≤ 1.1.4, 1.2.0 ≤ v ≤ 1.2.1; enterprise manager ops center: 12.4.0.0; http server: 12.2.1.3.0, 12.2.1.4.0; instantis enterprisetrack: 17.1, 17.2, 17.3; secure global desktop: 5.6; zfs storage appliance kit: 8.8; sinec nms: v < 1.0.3; sinema remote connect server: v < 3.1, 3.2; sinema server: 14.0; tenable.sc: v ≤ 5.19.1

Real-world incidentsWhat we've seen

CISA added this CVE to the Known Exploited Vulnerabilities catalog on 2021-12-01 based on evidence of active exploitation in the wild. Federal agencies required to remediate by 2021-12-15.

How to patch

Manual remediation steps

Apply the Vendor Patch

This vulnerability is in the CISA Known Exploited Vulnerabilities catalog — apply the vendor's security update as soon as possible.

CISA required action: Apply updates per vendor instructions.

References

Vendor advisory: https://httpd.apache.org/security/vulnerabilities_24.html

NVD entry: https://nvd.nist.gov/vuln/detail/CVE-2021-40438

CISA KEV: https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-40438

PowerShell automationComing soon

No tested PowerShell script for this entry yet. We’re prioritising automation based on user demand.

References

↗ CVE-2021-40438 ↗ NVD ↗ Vendor Advisory