vulnerability
Apache HTTPD: CVE-2025-59775: Server-Side Request Forgery (SSRF)
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 8 | (AV:N/AC:L/Au:N/C:C/I:N/A:N) | Dec 5, 2025 | Dec 8, 2025 | Apr 9, 2026 |
Severity
8
CVSS
(AV:N/AC:L/Au:N/C:C/I:N/A:N)
Published
Dec 5, 2025
Added
Dec 8, 2025
Modified
Apr 9, 2026
Description
Server-Side Request Forgery (SSRF) vulnerability
in Apache HTTP Server on Windows
with AllowEncodedSlashes On and MergeSlashes Off allows to potentially leak NTLM
hashes to a malicious server via SSRF and malicious requests or content
Users are recommended to upgrade to version 2.4.66, which fixes the issue.
in Apache HTTP Server on Windows
with AllowEncodedSlashes On and MergeSlashes Off allows to potentially leak NTLM
hashes to a malicious server via SSRF and malicious requests or content
Users are recommended to upgrade to version 2.4.66, which fixes the issue.
Solution
apache-httpd-upgrade-latest
Rapid7 Labs
2026 Global Threat Landscape Report
The predictive window has collapsed. Exploitation follows disclosure in days. See how attackers are accelerating and how to stay ahead.