Server-Side Request Forgery Vulnerability in Apache HTTP Server for Windows
CVE-2025-59775

7.5HIGH

Key Information:

Vendor: Apache
Status: Apache Http Server
Vendor: CVE Published:; 5 December 2025

What is CVE-2025-59775?

A server-side request forgery (SSRF) vulnerability exists in Apache HTTP Server on Windows that can permit an attacker to send crafted requests, potentially leading to the exposure of sensitive NTLM hashes to an external malicious server. This issue can be triggered when the AllowEncodedSlashes directive is set to On and the MergeSlashes directive is Off. It is crucial for users to upgrade their systems to version 2.4.66 or later to mitigate this risk.

Affected Version(s)

Apache HTTP Server 2.4.0 <= 2.4.65

References

https://httpd.apache.org/security/vulnerabilities_24.html

vendor-advisory

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Dec 5, 2025
Vulnerability Reserved
Sep 19, 2025

Credit

Orange Tsai (@orange_8361) from DEVCORE

JSON