CVEReports
CVEReports

Automated vulnerability intelligence platform. Comprehensive reports for high-severity CVEs generated by AI.

Product

  • Home
  • Sitemap
  • RSS Feed

Company

  • About
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CVEReports. All rights reserved.

Made with love by Amit Schendel & Alon Barad

CVE-2021-41773
9.894.38%

Apache's Forbidden Dance: The Path Traversal Disaster of 2.4.49

Alon Barad
Alon Barad
Software Engineer

Jan 7, 2026·6 min read·5 visits

Active ExploitationCISA KEV ListedRansomware Use

Executive Summary (TL;DR)

Apache 2.4.49 introduced a new path normalization function that forgot how URL encoding works. By replacing dots with `%2e`, attackers can walk out of the web root (`/var/www/html`) and into the server root (`/`). If `mod_cgi` is on, they can execute `/bin/sh` and take over the box. Patch immediately to 2.4.51 (skip 2.4.50, it was broken too).

A critical path traversal vulnerability in Apache HTTP Server 2.4.49 allows unauthenticated attackers to map URLs to files outside the expected document root. If CGI is enabled, this escalates to Remote Code Execution (RCE). The flaw stems from a botched path normalization logic change that failed to account for URL-encoded characters.

Official Patches

ApacheApache HTTP Server 2.4 vulnerabilities list

Fix Analysis (1)

Technical Appendix

CVSS Score
9.8/ 10
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Probability
94.38%
Top 0% most exploited
100,000
Estimated exposed hosts via Shodan

Affected Systems

Apache HTTP Server 2.4.49

Affected Versions Detail

Product
Affected Versions
Fixed Version
Apache HTTP Server
Apache Software Foundation
= 2.4.492.4.51
AttributeDetail
CWE IDCWE-22
Attack VectorNetwork
CVSS9.8 (Critical)
EPSS Score94.38%
ImpactRCE & Information Disclosure
Exploit StatusActive / Weaponized
KEV ListedYes

MITRE ATT&CK Mapping

T1190Exploit Public-Facing Application
Initial Access
T1005Data from Local System
Collection
T1059.004Command and Scripting Interpreter: Unix Shell
Execution
CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

The software uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the software does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

Known Exploits & Detection

MetasploitApache 2.4.49/2.4.50 Traversal RCE Module
Exploit-DBApache HTTP Server 2.4.49 - Path Traversal & RCE
NucleiDetection Template Available

Vulnerability Timeline

Apache 2.4.49 Released
2021-09-15
Fix committed to trunk
2021-09-29
Vulnerability Publicly Disclosed
2021-10-05
Mass Exploitation Begins
2021-10-06
Bypass found (CVE-2021-42013)
2021-10-07
Added to CISA KEV
2021-11-03

References & Sources

  • [1]Apache HTTP Server Project
  • [2]NVD Entry for CVE-2021-41773
Related Vulnerabilities
CVE-2021-42013

Attack Flow Diagram

Press enter or space to select a node. You can then use the arrow keys to move the node around. Press delete to remove it and escape to cancel.
Press enter or space to select an edge. You can then press delete to remove it or escape to cancel.