A critical vulnerability in Apache’s mod_rewrite module allows attackers to exploit unsafe rewrite rules by crafting URLs that access unintended filesystem paths.
This flaw, tracked as CVE-2024-38475, may lead to remote code execution or source code leakage, depending on server configuration. On May 1st, CISA added it to its list of known exploited vulnerabilities (KEV).
The vulnerability stems from improper escaping of output when backreferences or variables are used as the first segment of a rewrite rule substitution. Exploits targeting this vulnerability are publicly available.
Key Details
- Threat Type: Remote Code Execution / Information Disclosure
- Affected Product: Apache HTTP Server (v2.4.0 to <2.4.60)
- CVSS Score: 9.1 (Critical)
- Exploitation in the Wild: Confirmed
- Action Required: Patch immediately or disable mod_rewrite if not in use
Impact
CVE-2024-38475 allows attackers to craft malicious URLs that access restricted server-side files, potentially exposing configuration files or application source code. The flaw lies in how Apache’s mod_rewrite handles output escaping, enabling unauthorized file access through unsafe rewrite rules.
In some cases, this can lead to remote code execution without any authentication. Security researchers have confirmed that the exploit is straightforward and effective, making this a high-risk vulnerability that requires immediate action.
Mitigation
To mitigate the risk of exposure, OP Innovate recommends the following:
- Upgrade to Apache HTTP Server v2.4.60+
- If mod_rewrite is not required, disable it entirely
- Avoid unsafe rewrite patterns using unvalidated backreferences
- Vendors such as Red Hat and NetApp have issued patches
