Substitution encoding issue in mod_rewrite in Apache HTTP Server 2.4.59 and earlier allows attacker to execute scripts in directories permitted by the configuration but not directly reachable by any URL or source disclosure of scripts meant to only to be executed as CGI. Users are recommended to upgrade to version 2.4.60, which fixes this issue. Some RewriteRules that capture and substitute unsafely will now fail unless rewrite flag "UnsafeAllow3F" is specified.
The issue results from improper substitution encoding in RewriteRule rules of the mod_rewrite module. When rules capture and substitute input data in an unsafe manner, it is possible to construct a request that bypasses URL access restrictions and directs the server to execute a script located in a directly inaccessible directory, or disclose the contents of that script instead of executing it. The vulnerability can be exploited remotely, without authentication and user interaction. After applying the patch, RewriteRule rules performing unsafe substitutions will be rejected unless the 'UnsafeAllow3F' flag is explicitly set.
An attacker can remotely execute unauthorized CGI scripts in directories protected from direct URL access or gain access to the source code of these scripts, which may lead to disclosure of sensitive data (e.g., credentials, application logic) and compromise of system integrity and availability.
Apache HTTP Server should be updated to version 2.4.60, which eliminates this vulnerability. NetApp Clustered Data ONTAP users should apply patches according to the vendor advisory (ntap-20240712-0001). Additionally, existing RewriteRule rules should be reviewed for unsafe substitutions — rules requiring previous behavior must be marked with the 'UnsafeAllow3F' flag.
Apache HTTP Server version 2.4.59 and earlier; NetApp Clustered Data ONTAP (versions indicated in vendor references)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HApache HTTP Server
APPApache2.4.0 – 2.4.60 (bez)Netapp Clustered Data Ontap
OSNetapp9.0
Related vulnerabilities
Apache HTTP Server mod_rewrite — ujawnienie kodu i RCE poprzez błędne escapowanie
It was found that the fix for CVE-2021-41773 in Apache HTTP Server 2.4.50 was insufficient. An attacker could ...
A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49. An attacker could use a ...
A crafted request uri-path can cause mod_proxy to forward the request to an origin server choosen by the remot...
Use-after-free w Apache HTTP Server z mod_ldap (CVE-2026-29167)