CVE-2021-40438

Name: CVE-2021-40438
Creator: NVD / NIST
Published: 2021-09-16T15:15:07.633+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

CRITICALCVSS 9/10Actively ExploitedEPSS 100.00%

Last modified Jun 17, 2026

CVE-2021-40438 is a critical-severity vulnerability rated 9/10 on the CVSS scale. A crafted request uri-path can cause mod_proxy to forward the request to an origin server choosen by the remote user. This issue affects Apache HTTP Server 2.4.48 and earlier.. CISA has confirmed active exploitation in the wild. EPSS estimates a 100.00% chance of exploitation in the next 30 days.

Description

A crafted request uri-path can cause mod_proxy to forward the request to an origin server choosen by the remote user. This issue affects Apache HTTP Server 2.4.48 and earlier.

Metrics

CVSS 3.1

9/10

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

EPSS Probability

100.00%

100.0th percentile

Probability of exploitation in the next 30 days. Learn more

Exploitation Status

This vulnerability is listed in CISA’s Known Exploited Vulnerabilities catalog, confirming active exploitation in the wild. Federal agencies must remediate by Dec 15, 2021.

Weakness Enumeration

Affected Software

Vendor	Product	Versions
Resf	Rocky Linux	8.0
Redhat	Enterprise Linux	8.0
Redhat	Enterprise Linux Eus	8.1
Redhat	Enterprise Linux Eus	8.2
Redhat	Enterprise Linux Eus	8.4
Redhat	Enterprise Linux Eus	8.6
Redhat	Enterprise Linux Eus	8.8
Redhat	Enterprise Linux For Arm 64	8.0
Redhat	Enterprise Linux For Arm 64 Eus	8.6
Redhat	Enterprise Linux For Arm 64 Eus	8.8
Redhat	Enterprise Linux For Ibm Z Systems	7.0_s390x
Redhat	Enterprise Linux For Ibm Z Systems	8.0
Redhat	Enterprise Linux For Ibm Z Systems Eus	8.1
Redhat	Enterprise Linux For Ibm Z Systems Eus	8.4
Redhat	Enterprise Linux For Ibm Z Systems Eus	8.8
Redhat	Enterprise Linux For Ibm Z Systems Eus S390x	8.2
Redhat	Enterprise Linux For Power Big Endian	7.0
Redhat	Enterprise Linux For Power Little Endian	7.0
Redhat	Enterprise Linux For Power Little Endian	8.0
Redhat	Enterprise Linux For Power Little Endian Eus	8.1
Redhat	Enterprise Linux For Power Little Endian Eus	8.2
Redhat	Enterprise Linux For Power Little Endian Eus	8.4
Redhat	Enterprise Linux For Power Little Endian Eus	8.6
Redhat	Enterprise Linux For Power Little Endian Eus	8.8
Redhat	Enterprise Linux For Scientific Computing	7.0
Redhat	Enterprise Linux Server	7.0
Redhat	Enterprise Linux Server Aus	7.2
Redhat	Enterprise Linux Server Aus	7.3
Redhat	Enterprise Linux Server Aus	7.4
Redhat	Enterprise Linux Server Aus	7.6
Redhat	Enterprise Linux Server Aus	7.7
Redhat	Enterprise Linux Server Aus	8.2
Redhat	Enterprise Linux Server Aus	8.4
Redhat	Enterprise Linux Server Aus	8.6
Redhat	Enterprise Linux Server For Power Little Endian Update Services For Sap Solutions	7.6
Redhat	Enterprise Linux Server For Power Little Endian Update Services For Sap Solutions	7.7
Redhat	Enterprise Linux Server For Power Little Endian Update Services For Sap Solutions	8.1
Redhat	Enterprise Linux Server For Power Little Endian Update Services For Sap Solutions	8.2
Redhat	Enterprise Linux Server For Power Little Endian Update Services For Sap Solutions	8.4
Redhat	Enterprise Linux Server For Power Little Endian Update Services For Sap Solutions	8.6
Redhat	Enterprise Linux Server For Power Little Endian Update Services For Sap Solutions	8.8
Redhat	Enterprise Linux Server Tus	7.6
Redhat	Enterprise Linux Server Tus	7.7
Redhat	Enterprise Linux Server Tus	8.2
Redhat	Enterprise Linux Server Tus	8.4
Redhat	Enterprise Linux Server Tus	8.6
Redhat	Enterprise Linux Server Tus	8.8
Redhat	Enterprise Linux Server Update Services For Sap Solutions	7.6
Redhat	Enterprise Linux Server Update Services For Sap Solutions	7.7
Redhat	Enterprise Linux Update Services For Sap Solutions	8.1

Showing 50 of 83 affected configurations. See NVD for the full list.

References

https://cert-portal.siemens.com/productcert/pdf/ssa-685781.pdfThird Party Advisory
https://httpd.apache.org/security/vulnerabilities_24.htmlRelease Notes, Vendor Advisory
https://lists.apache.org/thread.html/r210807d0bb55f4aa6fbe1512be6bcc4dacd64e84940429fba329967a%40%3Cusers.httpd.apache.org%3EMailing List
https://lists.apache.org/thread.html/r2eb200ac1340f69aa22af61ab34780c531d110437910cb9c0ece3b37%40%3Cbugs.httpd.apache.org%3EMailing List
https://lists.apache.org/thread.html/r3925e167d5eb1c75def3750c155d753064e1d34a143028bb32910432%40%3Cusers.httpd.apache.org%3EMailing List
https://lists.apache.org/thread.html/r61fdbfc26ab170f4e6492ef3bd5197c20b862ce156e9d5a54d4b899c%40%3Cusers.httpd.apache.org%3EMailing List
https://lists.apache.org/thread.html/r82838efc5fa6fc4c73986399c9b71573589f78b31846aff5bd9b1697%40%3Cusers.httpd.apache.org%3EMailing List
https://lists.apache.org/thread.html/r82c077663f9759c7df5a6656f925b3ee4f55fcd33c889ba7cd687029%40%3Cusers.httpd.apache.org%3EMailing List
https://lists.apache.org/thread.html/rf6954e60b1c8e480678ce3d02f61b8a788997785652e9557a3265c00%40%3Cusers.httpd.apache.org%3EMailing List
https://lists.debian.org/debian-lts-announce/2021/10/msg00001.htmlMailing List, Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SPBR6WUYBJNACHKE65SPL7TJOHX7RHWD/Release Notes
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZNCYSR3BXT36FFF4XTCPL3HDQK4VP45R/Release Notes
https://security.gentoo.org/glsa/202208-20Third Party Advisory
https://security.netapp.com/advisory/ntap-20211008-0004/Third Party Advisory
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-httpd-2.4.49-VWL69sWQBroken Link, Third Party Advisory
https://www.debian.org/security/2021/dsa-4982Mailing List, Third Party Advisory
https://www.oracle.com/security-alerts/cpuapr2022.htmlPatch, Third Party Advisory
https://www.oracle.com/security-alerts/cpujan2022.htmlPatch, Third Party Advisory
https://www.tenable.com/security/tns-2021-17Third Party Advisory
https://cert-portal.siemens.com/productcert/pdf/ssa-685781.pdfThird Party Advisory
https://httpd.apache.org/security/vulnerabilities_24.htmlRelease Notes, Vendor Advisory
https://lists.apache.org/thread.html/r210807d0bb55f4aa6fbe1512be6bcc4dacd64e84940429fba329967a%40%3Cusers.httpd.apache.org%3EMailing List
https://lists.apache.org/thread.html/r2eb200ac1340f69aa22af61ab34780c531d110437910cb9c0ece3b37%40%3Cbugs.httpd.apache.org%3EMailing List
https://lists.apache.org/thread.html/r3925e167d5eb1c75def3750c155d753064e1d34a143028bb32910432%40%3Cusers.httpd.apache.org%3EMailing List
https://lists.apache.org/thread.html/r61fdbfc26ab170f4e6492ef3bd5197c20b862ce156e9d5a54d4b899c%40%3Cusers.httpd.apache.org%3EMailing List
https://lists.apache.org/thread.html/r82838efc5fa6fc4c73986399c9b71573589f78b31846aff5bd9b1697%40%3Cusers.httpd.apache.org%3EMailing List
https://lists.apache.org/thread.html/r82c077663f9759c7df5a6656f925b3ee4f55fcd33c889ba7cd687029%40%3Cusers.httpd.apache.org%3EMailing List
https://lists.apache.org/thread.html/rf6954e60b1c8e480678ce3d02f61b8a788997785652e9557a3265c00%40%3Cusers.httpd.apache.org%3EMailing List
https://lists.debian.org/debian-lts-announce/2021/10/msg00001.htmlMailing List, Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SPBR6WUYBJNACHKE65SPL7TJOHX7RHWD/Release Notes
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZNCYSR3BXT36FFF4XTCPL3HDQK4VP45R/Release Notes
https://security.gentoo.org/glsa/202208-20Third Party Advisory
https://security.netapp.com/advisory/ntap-20211008-0004/Third Party Advisory
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-httpd-2.4.49-VWL69sWQBroken Link, Third Party Advisory
https://www.debian.org/security/2021/dsa-4982Mailing List, Third Party Advisory
https://www.oracle.com/security-alerts/cpuapr2022.htmlPatch, Third Party Advisory
https://www.oracle.com/security-alerts/cpujan2022.htmlPatch, Third Party Advisory
https://www.tenable.com/security/tns-2021-17Third Party Advisory
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-40438US Government Resource

Timeline

Published: Sep 16, 2021
Last Modified: Jun 17, 2026
Status: Analyzed

Frequently Asked Questions

What is CVE-2021-40438?

A crafted request uri-path can cause mod_proxy to forward the request to an origin server choosen by the remote user. This issue affects Apache HTTP Server 2.4.48 and earlier.

How severe is CVE-2021-40438?

CVE-2021-40438 has a CVSS score of 9/10 (CRITICAL severity). The EPSS model estimates a 100.00% probability of exploitation in the next 30 days. This vulnerability is listed in CISA's Known Exploited Vulnerabilities catalog.

How do I fix CVE-2021-40438?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2021-40438?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST