CVE-2022-37436
Apache HTTP Server: mod_proxy prior to 2.4.55 allows a backend to trigger HTTP response splittingPrior to Apache HTTP Server 2.4.55, a malicious backend can cause the response headers to be truncated early, resulting in some headers being incorporated into the response body. If the later headers have any security purpose, they will not be interpreted by the client.
We have discovered 1,523,343 live websites that are affected by CVE-2022-37436.
Affected Software
| Product |  Apache |
| Category | Web Servers |
| Vulnerable Domains | 1,523,343 live websites (54% of Apache install base) |
| Vulnerable Versions |
|
| Vulnerable Versions Count | 106 versions ( 89% of all versions) |
Common Weakness Enumeration
CWE-113 Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')Details
- Published - Jan 17, 2023
- Updated - Apr 4, 2025
Credits
- Dimas Fariski Setyawan Putra (@nyxsorcerer) (finder)
CVE References
CWE References
CWE
Website Distribution by Country
Number of websites using CVE-2022-37436 United States | 408,031 websites |
 Germany | 156,341 websites |
 Taiwan | 111,995 websites |
 France | 79,393 websites |
 Japan | 72,964 websites |
 Russia | 60,558 websites |
 Italy | 50,879 websites |
 Netherlands | 47,201 websites |
 Czech Republic | 41,277 websites |
 Singapore | 37,827 websites |
Website Distribution by TLD
Number of websites using CVE-2022-37436| .com | 600,149 websites |
| .de | 98,920 websites |
| .org | 65,526 websites |
| .net | 60,587 websites |
| .ru | 52,808 websites |
| .it | 44,615 websites |
| .nl | 35,100 websites |
| .cz | 34,251 websites |
| .jp | 28,530 websites |
| .pl | 25,744 websites |
Vulnerable Versions
Vulnerable versions are highlighted in redWebsites affected by CVE-2022-37436
Top websites that are affected by CVE-2022-37436. Please click on the "Contact us" link to get more information.| Domain | Country | Rank | Contacts |
|---|---|---|---|
| *******.com | Singapore | *** | |
| *************.***.****.****.************.net | United States | *** | |
| *****.***********.com |  Canada | *** | |
| *********.net | United States | *** | |
| ***.****.us | United States | *,*** | |
| ***.*********.com | Singapore | *,*** | |
| *****.*******.com | Singapore | *,*** | |
| ******************.com | United States | *,*** | |
| ****.*********.net |  GB | *,*** | |
| *******.org | United States | *,*** |
FAQ
CVE-2022-37436 is Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting') in Apache
A total of 1,523,343 websites have been identified as vulnerable to CVE-2022-37436, based on global website indexing conducted by WebTechSurvey.
The Apache is affected by the CVE-2022-37436 vulnerability.
Apache versions up to 2.4.55 are vulnerable to CVE-2022-37436.
CVE-2022-37436 is resolved in version 2.4.55 of Apache.