CVE-2024-42516 – This HTTP response splitting vulnerability in A... (How to Fix)

Q: What is the severity of CVE-2024-42516?

CVE-2024-42516 has a CVSS score of 7.5 (HIGH). This HTTP response splitting vulnerability in Apache HTTP Server allows attackers to manipulate Content-Type headers to split HTTP responses, potentially injecting malicious content. It affects Apache HTTP Server versions before 2.4.64, particularly when hosting or proxying applications that allow header manipulation. The vulnerability was previously mis-patched in version 2.4.59.

📋 TL;DR

This HTTP response splitting vulnerability in Apache HTTP Server allows attackers to manipulate Content-Type headers to split HTTP responses, potentially injecting malicious content. It affects Apache HTTP Server versions before 2.4.64, particularly when hosting or proxying applications that allow header manipulation. The vulnerability was previously mis-patched in version 2.4.59.

💻 Affected Systems

Products:

Apache HTTP Server

Versions: Versions before 2.4.64 (including 2.4.59 which had incomplete patch)

Operating Systems: All operating systems running Apache HTTP Server

Default Config Vulnerable: ⚠️ Yes

Notes: Affects configurations where Apache hosts or proxies applications that allow Content-Type header manipulation. The vulnerability is in the core server, not specific modules.

📦 What is this software?

Http Server by Apache

View all CVEs affecting Http Server →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could inject malicious content into HTTP responses, leading to cross-site scripting (XSS), session hijacking, cache poisoning, or phishing attacks against users.

🟠

Likely Case

Attackers inject malicious scripts or content into HTTP responses, enabling client-side attacks against users accessing vulnerable applications.

🟢

If Mitigated

With proper input validation and output encoding, the attack surface is reduced, but the core vulnerability remains until patched.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires ability to manipulate Content-Type headers of hosted/proxied applications. No public exploit code identified in references.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.4.64

Vendor Advisory: https://httpd.apache.org/security/vulnerabilities_24.html

Restart Required: Yes

Instructions:

1. Download Apache HTTP Server 2.4.64 from official Apache website. 2. Backup current configuration. 3. Stop Apache service. 4. Install/upgrade to version 2.4.64. 5. Restore configuration. 6. Start Apache service. 7. Verify version with 'httpd -v'.

🔧 Temporary Workarounds

Input Validation Filter

all

Implement strict input validation and output encoding for Content-Type headers in hosted/proxied applications

# Application-specific - implement validation in application code

ModSecurity Rule

linux

Use ModSecurity to detect and block HTTP response splitting attempts

SecRule REQUEST_HEADERS:Content-Type "@rx (\r|\n|%0d|%0a)" "id:1001,phase:1,deny,msg:'HTTP Response Splitting Attempt'"
SecRule RESPONSE_HEADERS:Content-Type "@rx (\r|\n|%0d|%0a)" "id:1002,phase:3,deny,msg:'HTTP Response Splitting Detected'"

🧯 If You Can't Patch

Implement web application firewall (WAF) rules to detect and block HTTP response splitting patterns
Isolate vulnerable servers behind reverse proxies that sanitize HTTP headers

🔍 How to Verify

Check if Vulnerable:

Check Apache version with 'httpd -v' or 'apache2 -v'. If version is below 2.4.64, system is vulnerable.

Check Version:

httpd -v

Verify Fix Applied:

Run 'httpd -v' or 'apache2 -v' and confirm version is 2.4.64 or higher.

📡 Detection & Monitoring

Log Indicators:

Unusual Content-Type header values containing CR/LF characters
Multiple HTTP responses from single request
Malformed HTTP headers in access/error logs

Network Indicators:

HTTP responses containing unexpected headers or content
Responses with multiple 'Content-Type' headers
HTTP/1.1 200 OK followed by additional response headers

SIEM Query:

source="apache_access" AND (Content-Type="*\r\n*" OR Content-Type="*%0d%0a*")

📊 Metadata

CVE ID: CVE-2024-42516

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CWE: CWE-20

EPSS Score: 0.32% exploit probability (54.7th percentile)

Published: July 10, 2025

Last Updated: November 4, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-42516, you might also want to check these: