Apache's Billion-Dollar Mistake: How One Line of Code Opened the Web's Front Door
Jan 3, 2026·8 min read·4 visits
Executive Summary (TL;DR)
A botched path normalization change in Apache 2.4.49 allowed attackers to read any file on the server using a simple URL-encoded trick (`.%2e/`). If `mod_cgi` was enabled, this file-read bug became a full-blown RCE, allowing attackers to execute commands as the web server's user. It was a 0-day for a short period and highlights the danger of 'improving' security-critical code without rigorous testing.
CVE-2021-41773 is a critical path traversal vulnerability discovered in Apache HTTP Server version 2.4.49. A flawed change in path normalization logic allowed unauthenticated attackers to map URLs to files outside the expected document root. If CGI scripts were also enabled, this vulnerability could be trivially escalated to achieve remote code execution. The bug was introduced and fixed in rapid succession, but not before being actively exploited in the wild, serving as a stark reminder of how fragile core internet infrastructure can be.
Official Patches
Fix Analysis (1)
Technical Appendix
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HAffected Systems
Affected Versions Detail
| Product | Affected Versions | Fixed Version |
|---|---|---|
Apache HTTP Server Apache Software Foundation | 2.4.49 | 2.4.50 |
| Attribute | Detail |
|---|---|
| CWE ID | CWE-22 |
| Attack Vector | Network |
| Attack Complexity | Low |
| Privileges Required | None |
| CVSS Score | 9.8 (Critical for RCE scenario) |
| Impact | Arbitrary File Disclosure, Remote Code Execution |
| Exploit Status | Active Exploitation |
| KEV Status | Yes, added 2021-10-07 |
MITRE ATT&CK Mapping
The software uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the software does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.