CVE-2024-24795 Overview
CVE-2024-24795 is an HTTP Response Splitting vulnerability affecting multiple modules in Apache HTTP Server. This vulnerability allows an attacker who can inject malicious response headers into backend applications to cause an HTTP desynchronization attack. HTTP desync attacks can lead to request smuggling, cache poisoning, and hijacking of other users' requests.
The vulnerability exists due to improper neutralization of CRLF sequences in HTTP headers across multiple Apache httpd modules. When attackers can influence backend response headers, they can inject crafted content that causes the front-end server and back-end servers to interpret message boundaries differently.
Critical Impact
Attackers exploiting this vulnerability can manipulate HTTP traffic flow, potentially hijacking authenticated sessions, poisoning web caches, and bypassing security controls through HTTP desynchronization techniques.
Affected Products
- Apache HTTP Server (versions prior to 2.4.59)
- Debian Linux 10.0
- Fedora 38, 39, and 40
- NetApp ONTAP 9
- NetApp ONTAP Tools 10 for VMware vSphere
- Broadcom Fabric Operating System
- Apple macOS (affected versions)
Discovery Timeline
- April 4, 2024 - CVE-2024-24795 published to NVD
- June 30, 2025 - Last updated in NVD database
Technical Details for CVE-2024-24795
Vulnerability Analysis
This HTTP Response Splitting vulnerability (CWE-113) combined with Inconsistent Interpretation of HTTP Requests (CWE-444) occurs across multiple modules in Apache HTTP Server. The vulnerability enables HTTP desynchronization attacks when an attacker can inject malicious content into response headers that are passed from backend applications through Apache's proxy modules.
HTTP desynchronization exploits the differences in how front-end and back-end servers parse HTTP message boundaries. By injecting CRLF (Carriage Return Line Feed) sequences into response headers, attackers can cause Apache and backend servers to disagree on where one response ends and another begins. This disagreement can be weaponized to smuggle malicious requests, poison shared caches, or hijack subsequent requests from other users.
The vulnerability requires user interaction, as an attacker typically needs to craft a malicious request or manipulate backend application behavior to inject the header content. However, in proxy configurations where user-controlled data reaches backend headers, exploitation becomes more practical.
Root Cause
The root cause lies in insufficient sanitization of CRLF sequences within HTTP header processing across multiple Apache HTTP Server modules. When these modules pass response headers from backend applications, they fail to properly neutralize injected line terminators. This allows attackers to break out of the intended header context and inject additional headers or even complete HTTP responses.
The affected modules include those responsible for proxying requests to backend servers, where header values from backend responses are incorporated into the final response sent to clients without adequate validation of header integrity.
Attack Vector
The attack leverages network-accessible Apache HTTP Server instances configured to proxy requests to backend applications. An attacker must be able to influence the content of response headers generated by backend applications. This could occur through:
- Backend Application Vulnerabilities: If a backend application reflects user input into response headers without proper sanitization
- Compromised Backend Systems: Direct manipulation of backend response headers
- Header Injection Points: Any location where user-controlled data flows into HTTP response headers
Once header injection is achieved, the attacker crafts payloads containing CRLF sequences (\r\n) followed by additional headers or response bodies. This causes desynchronization between how Apache interprets the response boundaries versus how intermediate proxies or clients interpret them.
The attack mechanism exploits the HTTP/1.1 protocol's reliance on CRLF sequences as delimiters, allowing injection of content that appears as separate HTTP messages to different components in the request chain.
Detection Methods for CVE-2024-24795
Indicators of Compromise
- Unusual CRLF sequences or encoded variants (%0d%0a, %0D%0A) appearing in HTTP request or response headers
- Malformed HTTP responses with unexpected header structures in Apache logs
- Cache poisoning indicators such as incorrect content being served for legitimate URLs
- Reports of session hijacking or users receiving responses intended for other users
Detection Strategies
- Enable detailed logging of HTTP headers in Apache access and error logs to identify anomalous header patterns
- Deploy Web Application Firewalls (WAF) with rules specifically targeting CRLF injection patterns in headers
- Implement network-level monitoring for HTTP desync attack signatures using IDS/IPS systems
- Review Apache configuration for proxy modules that may be vulnerable and audit backend application header handling
Monitoring Recommendations
- Configure Apache mod_log_config to log full request and response headers for forensic analysis
- Set up alerting for unusual patterns in Content-Length mismatches or Transfer-Encoding anomalies
- Monitor for cache hit/miss ratio anomalies that could indicate cache poisoning attempts
- Implement real-time analysis of HTTP traffic for header injection attack patterns
How to Mitigate CVE-2024-24795
Immediate Actions Required
- Upgrade Apache HTTP Server to version 2.4.59 or later immediately
- Review and restrict backend applications from including user-controlled data in response headers
- Implement strict input validation on any data that could flow into HTTP headers
- Consider temporarily disabling vulnerable proxy modules if immediate patching is not possible
Patch Information
Apache has released version 2.4.59 which addresses this HTTP Response Splitting vulnerability. Users should upgrade to this version or later to remediate CVE-2024-24795. The patch improves header sanitization across affected modules to properly neutralize CRLF injection attempts.
For detailed patch information and security advisories, refer to the Apache HTTP Server Vulnerabilities page.
Additional vendor-specific patches are available:
Workarounds
- Implement WAF rules to strip or reject requests containing CRLF sequences in header values
- Configure backend applications to sanitize all output that may appear in HTTP headers
- Use mod_security or similar modules to block requests with header injection patterns
- Consider deploying HTTP/2 between Apache and clients where possible, as it uses binary framing that is inherently resistant to CRLF injection
# Apache mod_security rule example to detect CRLF injection attempts
# Add to mod_security configuration
SecRule REQUEST_HEADERS "@rx [\r\n]" \
"id:1001,\
phase:1,\
deny,\
status:400,\
msg:'CRLF Injection Attempt Detected',\
log,\
auditlog"
# Verify Apache version after upgrade
httpd -v
# Expected: Server version: Apache/2.4.59 or higher
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
