CVE-2025-59775

CVSS v2.0

7.8

High

Vector

AV:N/AC:L/Au:N/C:C/I:N/A:N

Name of the Vulnerable Software and Affected Versions Apache HTTP Server versions prior to 2.4.66

Description An issue exists in Apache HTTP Server on Windows when AllowEncodedSlashes is enabled and MergeSlashes is disabled. This can allow for Server-Side Request Forgery (SSRF), potentially leading to the leakage of NTLM hashes to a malicious server through crafted requests or content. The issue enables an attacker to make requests on behalf of the server, potentially accessing internal resources.

Recommendations Upgrade to version 2.4.66 to resolve this issue.

Fix

SSRF

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-918

Related Identifiers

BDU:2025-15293

BIT-APACHE-2025-59775

CVE-2025-59775

OPENSUSE-SU-2025:15808-1

OPENSUSE-SU-2026:20810-1

RHSA-2026:5156

SUSE-SU-2026:21846-1

Affected Products

Alt Linux

Apache Http Server

Apple Macos

Red Os

CVE-2025-59775

Weakness Enumeration

Related Identifiers

Affected Products

References · 43