Apache HTTP Server
Moderate fix1 remedy
cpe:2.3:a:apache:http_server:*:*:*:*:*:*:*
Moderate fix1 remedy
- >= 2.4.0, <= 2.4.67
Apache HTTP Server mod_proxy_ftp Infinite Loop Vulnerability
Vulnerability
Patched
An infinite loop vulnerability has been identified in the mod_proxy_ftp module of Apache HTTP Server. This issue occurs when the server is connected to an attacker-controlled backend FTP server, causing the server to enter a loop with no reachable exit condition. This vulnerability affects Apache HTTP Server versions 2.4.0 through 2.4.67.
Impact
Exploitation of this vulnerability leads to an infinite loop, causing a denial-of-service condition by exhausting server resources.
Reproduction
To reproduce this vulnerability, configure Apache HTTP Server to use the mod_proxy_ftp module. Set up a reverse proxy that directs traffic to an FTP server controlled by an attacker. When a request is made that triggers the proxy_ftp_handler, the server will enter an infinite loop, processing no further requests until the connection is closed.
Remediation
Users are advised to upgrade to Apache HTTP Server version 2.4.68, which addresses this vulnerability.
Added: Jun 8, 2026, 5:07 PM
Updated: Jun 8, 2026, 5:07 PM
Vulnerability Rating
Custom Algorithm
spread
9.4impact
2.5exploitability
7.9remediation
7.7relevance
9.4threat
1.6urgency
2.9incentive
4.2Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.