Home

Description

HTTP response splitting in the core of Apache HTTP Server allows an attacker who can manipulate the Content-Type response headers of applications hosted or proxied by the server can split the HTTP response. This vulnerability was described as CVE-2023-38709 but the patch included in Apache HTTP Server 2.4.59 did not address the issue. Users are recommended to upgrade to version 2.4.64, which fixes this issue.

PUBLISHED Reserved 2024-08-03 | Published 2025-07-10 | Updated 2025-11-04 | Assigner apache

Problem types

CWE-20 Improper Input Validation

Product status

Default status
unaffected

2.4.0 (semver)
affected

Timeline

2024-07-18:reported

References

lists.debian.org/debian-lts-announce/2025/08/msg00009.html

www.openwall.com/lists/oss-security/2025/07/10/2

www.openwall.com/lists/oss-security/2025/07/10/3

httpd.apache.org/security/vulnerabilities_24.html vendor-advisory

cve.org (CVE-2024-42516)

nvd.nist.gov (CVE-2024-42516)

Download JSON