CVE-2024-38475
Apache HTTP Server weakness in mod_rewrite when first segment of substitution matches filesystem path.Improper escaping of output in mod_rewrite in Apache HTTP Server 2.4.59 and earlier allows an attacker to map URLs to filesystem locations that are permitted to be served by the server but are not intentionally/directly reachable by any URL, resulting in code execution or source code disclosure. Substitutions in server context that use a backreferences or variables as the first segment of the substitution are affected. Some unsafe RewiteRules will be broken by this change and the rewrite flag "UnsafePrefixStat" can be used to opt back in once ensuring the substitution is appropriately constrained.
We have discovered 1,328,741 live websites that are affected by CVE-2024-38475.
Affected Software
| Product |  Apache |
| Category | Web Servers |
| Vulnerable Domains | 1,328,741 live websites (48% of Apache install base) |
| Vulnerable Versions |
|
| Vulnerable Versions Count | 51 versions ( 43% of all versions) |
Common Weakness Enumeration
CWE-116 Improper Encoding or Escaping of OutputDetails
- Published - Jul 1, 2024
- Updated - Nov 3, 2025
Credits
- Orange Tsai (@orange_8361) from DEVCORE (finder)
CVE References
CWE References
CWE
Website Distribution by Country
Number of websites using CVE-2024-38475 United States | 399,606 websites |
 Germany | 151,624 websites |
 France | 79,441 websites |
 Netherlands | 62,741 websites |
 Japan | 48,904 websites |
 Russia | 48,300 websites |
 Italy | 46,493 websites |
 Singapore | 36,529 websites |
 GB | 36,117 websites |
 Czech Republic | 34,920 websites |
Website Distribution by TLD
Number of websites using CVE-2024-38475| .com | 484,575 websites |
| .de | 90,241 websites |
| .org | 64,567 websites |
| .net | 52,720 websites |
| .nl | 47,215 websites |
| .ru | 42,753 websites |
| .it | 41,347 websites |
| .cz | 29,091 websites |
| .fr | 26,275 websites |
| .pl | 25,745 websites |
Vulnerable Versions
Vulnerable versions are highlighted in redWebsites affected by CVE-2024-38475
Top websites that are affected by CVE-2024-38475. Please click on the "Contact us" link to get more information.| Domain | Country | Rank | Contacts |
|---|---|---|---|
| *******.com | Singapore | *** | |
| *************.***.****.****.************.net | United States | *** | |
| *********.net | United States | *** | |
| ***.****.us | United States | *,*** | |
| ***.*********.com | Singapore | *,*** | |
| *****.*******.com | Singapore | *,*** | |
| ******.net |  Sweden | *,*** | |
| ******************.com | United States | *,*** | |
| ****.*********.net | GB | *,*** | |
| ****.com | United States | *,*** |
FAQ
CVE-2024-38475 is Improper Encoding or Escaping of Output in Apache
A total of 1,328,741 websites have been identified as vulnerable to CVE-2024-38475, based on global website indexing conducted by WebTechSurvey.
The Apache is affected by the CVE-2024-38475 vulnerability.
Apache versions up to and including 2.4.59 are vulnerable to CVE-2024-38475.