CVE-2024-38475
Apache HTTP Server weakness in mod_rewrite when first segment of substitution matches filesystem path.Improper escaping of output in mod_rewrite in Apache HTTP Server 2.4.59 and earlier allows an attacker to map URLs to filesystem locations that are permitted to be served by the server but are not intentionally/directly reachable by any URL, resulting in code execution or source code disclosure. Substitutions in server context that use a backreferences or variables as the first segment of the substitution are affected. Some unsafe RewiteRules will be broken by this change and the rewrite flag "UnsafePrefixStat" can be used to opt back in once ensuring the substitution is appropriately constrained.
We have discovered 1,700,045 live websites that are affected by CVE-2024-38475.
Affected Software
| Product |  Apache |
| Category | Web Servers |
| Vulnerable Domains | 1,700,045 live websites (53.89% of Apache install base) |
| Vulnerable Versions |
|
| Vulnerable Versions Count | 54 versions ( 36.73% of all versions) |
Common Weakness Enumeration
CWE-116 Improper Encoding or Escaping of OutputDetails
- Published - Jul 1, 2024
- Updated - Feb 13, 2025
Credits
- Orange Tsai (@orange_8361) from DEVCORE (finder)
CWE
CVE References
CWE References
CVE-2024-38475 usage by Country
 United States | 593,529 websites |
 Germany | 211,401 websites |
 France | 112,963 websites |
 Netherlands | 81,055 websites |
 Russia | 54,126 websites |
 Singapore | 49,910 websites |
 Japan | 49,356 websites |
 Czech Republic | 43,010 websites |
 Italy | 42,555 websites |
 GB | 34,747 websites |
CVE-2024-38475 usage by TLD
| .com | 626,083 websites |
| .de | 124,317 websites |
| .org | 81,780 websites |
| .net | 66,902 websites |
| .nl | 62,820 websites |
| .ru | 48,426 websites |
| .it | 44,106 websites |
| .cz | 36,155 websites |
| .fr | 34,531 websites |
| .pl | 29,718 websites |
Vulnerable Versions
Vulnerable versions are highlighted in redWebsites affected by CVE-2024-38475
Top websites that are affected by CVE-2024-38475. Please click on the "Contact us" link to get more information.| Domain | Country | Rank | Contacts |
|---|---|---|---|
| *******.com | Singapore | *** | |
| *************.***.****.****.************.net | United States | *** | |
| *********.com | United States | *** | |
| *********.*************.se | United States | *** | |
| ****.com | United States | *** | |
| ***********.org | United States | *** | |
| *********.net | United States | *** | |
| ********.*********.com | Singapore | *,*** | |
| *****.cz | Czech Republic | *,*** | |
| ***.****.us | United States | *,*** |
FAQ
CVE-2024-38475 is Improper Encoding or Escaping of Output in Apache
A total of 1,700,045 websites have been identified as vulnerable to CVE-2024-38475, discovered through global website indexing conducted by WebTechSurvey.
Apache is susceptible to CVE-2024-38475 vulnerability.
Apache versions before, and including, 2.4.59 are vulnerable to CVE-2024-38475.