← back
CVE-2023-25690

Apache HTTP Server: HTTP request splitting with mod_rewrite and mod_proxy

CVSS 9.8 CRITICALEPSS 83.8%CWE-444
In short

Apache HTTP Server can be tricked into sending malformed requests to backend servers when using certain rewrite or proxy rules. An attacker can exploit this to bypass security controls, access unintended content, or poison caches.

Technical detail

HTTP request smuggling vulnerability in Apache HTTP Server 2.4.0–2.4.55 occurring when mod_proxy is combined with mod_rewrite rules that match and reinject unsanitized user-supplied URL data into proxied requests. Attack vector requires attacker-controlled request-target input; exploitation can result in access control bypass, URL smuggling to origin servers, and cache poisoning.

Summary generated and translated by AI from the official description.
Some mod_proxy configurations on Apache HTTP Server versions 2.4.0 through 2.4.55 allow a HTTP Request Smuggling attack. Configurations are affected when mod_proxy is enabled along with some form of RewriteRule or ProxyPassMatch in which a non-specific pattern matches some portion of the user-supplied request-target (URL) data and is then re-inserted into the proxied request-target using variable substitution. For example, something like: RewriteEngine on RewriteRule "^/here/(.*)" "http://example.com:8080/elsewhere?$1"; [P] ProxyPassReverse /here/ http://example.com:8080/ Request splitting/smuggling could result in bypass of access controls in the proxy server, proxying unintended URLs to existing origin servers, and cache poisoning. Users are recommended to update to at least version 2.4.56 of Apache HTTP Server.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected products
Apache Software Foundation · Apache HTTP Server
public PoCs found6
githubgithub.com/dhmosfunk/CVE-2023-25690-POC286githubgithub.com/thanhlam-attt/CVE-2023-256904githubgithub.com/oOCyginXOo/CVE-2023-25690-POC2githubgithub.com/tbachvarova/linux-apache-fix-mod_rewrite-spaceInURL1githubgithub.com/arnavps/CTF-Web-Exploitation1cve_referencepacketstormsecurity.com/files/176334/Apache-2.4.55-mod_proxy-HTTP-Request-Smuggling.htmlunverified
⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
http://packetstormsecurity.com/files/176334/Apache-2.4.55-mod_proxy-HTTP-Request-Smuggling.htmlhttps://httpd.apache.org/security/vulnerabilities_24.htmlhttps://lists.debian.org/debian-lts-announce/2023/04/msg00028.htmlhttps://security.gentoo.org/glsa/202309-01