Server-Side Request Forgery Vulnerability in Apache HTTP Server for Windows
CVE-2025-59775

Currently unrated

Key Information:

Vendor: Apache
Status: Apache Http Server
Vendor: CVE Published:; 5 December 2025

What is CVE-2025-59775?

A server-side request forgery (SSRF) vulnerability exists in Apache HTTP Server on Windows that can permit an attacker to send crafted requests, potentially leading to the exposure of sensitive NTLM hashes to an external malicious server. This issue can be triggered when the AllowEncodedSlashes directive is set to On and the MergeSlashes directive is Off. It is crucial for users to upgrade their systems to version 2.4.66 or later to mitigate this risk.

Affected Version(s)

Apache HTTP Server 2.4.0 <= 2.4.65

References

https://httpd.apache.org/security/vulnerabilities_24.html

vendor-advisory

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Dec 5, 2025
Vulnerability Reserved
Sep 19, 2025

Credit

Orange Tsai (@orange_8361) from DEVCORE

JSON