Apache HTTP Server
The Apache HTTP Server is one of the most widely deployed web servers on the internet. Vulnerabilities in Apache httpd span module-level issues (mod_proxy, mod_cgi, mod_rewrite) and core request parsing problems. The 2.4.x branch is the current supported series; 2.2.x reached end-of-life in 2017.
Querying Apache HTTP Server
apache_httpd2.4.49, 2.4.52, 2.4.62curl "https://api.attestd.io/v1/check?product=apache_httpd&version=2.4.49" \
-H "Authorization: Bearer $ATTESTD_KEY"Apache HTTP Server 2.4.49 is the only version affected by CVE-2021-41773 (path traversal with mod_cgi RCE). This version also falls in the range for the mod_proxy SSRF CVE-2021-40438. The response reflects the worst-case aggregation across both, which produces risk_state: "critical" due to active exploitation.
{
"product": "apache_httpd",
"version": "2.4.49",
"supported": true,
"risk_state": "critical",
"risk_factors": [
"active_exploitation",
"remote_code_execution",
"no_authentication_required",
"internet_exposed_service",
"patch_available"
],
"actively_exploited": true,
"remote_exploitable": true,
"authentication_required": false,
"patch_available": true,
"fixed_version": "2.4.51",
"confidence": 0.91,
"cve_ids": ["CVE-2021-41773", "CVE-2021-40438"],
"last_updated": "2026-02-23T18:21:30Z"
}CVE history
Apache httpd CVEs tend to fall into two categories: path handling bugs that allow traversal out of the document root, and proxy module flaws that allow server-side request forgery or request smuggling. A few versions (2.4.49, 2.4.50) had exceptionally severe vulnerabilities that were patched within days of disclosure.
| CVE | Description | Affects | CVSS |
|---|---|---|---|
CVE-2021-41773KEV | Path traversal vulnerability allowing access to files outside the document root. When mod_cgi is enabled, this becomes an unauthenticated remote code execution path. Affects 2.4.49 only. | 2.4.49 only | 9.8 |
CVE-2021-42013KEV | Incomplete fix for CVE-2021-41773. The patch could be bypassed using percent-encoded path segments. Also allows RCE with mod_cgi. Affects 2.4.49 and 2.4.50. | 2.4.49, 2.4.50 | 9.8 |
CVE-2021-40438 | Server-side request forgery in mod_proxy. A crafted request-uri can cause the proxy to forward requests to an attacker-controlled origin server. Affects all 2.4.x through 2.4.48. | 2.4.0 to 2.4.48 | 9.0 |
CVE-2022-22720 | HTTP request smuggling. Apache httpd fails to close inbound connections when encountering errors sending data to the client, leaving the connection available for request smuggling via HTTP/1.1. | to 2.4.52 | 9.8 |
CVE-2022-31813 | mod_proxy may not send the X-Forwarded-* headers to the origin server when there are hop-by-hop headers present. Can cause incorrect trust decisions by backend applications that depend on those headers. | to 2.4.53 | 9.8 |
KEV = CISA Known Exploited Vulnerabilities catalog. Active exploitation confirmed.
Version format
Apache httpd uses standard three-part version strings (2.4.49). No normalization is required. Pass the version exactly as reported by the server (the output of httpd -v or the Server response header).