CVE-2025-59775

State: PUBLISHED · Published: 2025-12-05 · Updated: 2025-12-05 · Assigner: apache

Description

Server-Side Request Forgery (SSRF) vulnerability in Apache HTTP Server on Windows with AllowEncodedSlashes On and MergeSlashes Off allows to potentially leak NTLM hashes to a malicious server via SSRF and malicious requests or content Users are recommended to upgrade to version 2.4.66, which fixes the issue.

CWE

CWE-918 — CWE-918 Server-Side Request Forgery (SSRF)

Affected

Apache Software Foundation / Apache HTTP Server — v=2.4.0 ≤2.4.65 [affected]

CVSS

(none)

References

https://httpd.apache.org/security/vulnerabilities_24.html vendor-advisory

Source

cvelistV5-main/cves/2025/59xxx/CVE-2025-59775.json