CVE-2025-59775: Apache HTTP Server: NTLM Leakage on Windows through UNC SSRF

[Eric Covener <covener () apache org>]

Severity: moderate 

Affected versions:

- Apache HTTP Server 2.4.0 through 2.4.65

Description:

Server-Side Request Forgery (SSRF) vulnerability 

 in Apache HTTP Server on Windows 

with AllowEncodedSlashes On and MergeSlashes Off  allows to potentially leak NTLM 
hashes to a malicious server via SSRF and malicious requests or content

Users are recommended to upgrade to version 2.4.66, which fixes the issue.

Credit:

Orange Tsai (@orange_8361) from DEVCORE (finder)

References:

https://httpd.apache.org/security/vulnerabilities_24.html
https://httpd.apache.org/
https://www.cve.org/CVERecord?id=CVE-2025-59775

Timeline:

2025-09-10: reported
2025-12-01: fixed in 2.4.x by r1930166