Last checked and updated on 03 Jun 2026
What Is New in Apache HTTP Server 2.4
The 2.4 branch of Apache HTTP Server has been the stable, long-term production line since its initial GA release and continues to receive regular security patches, module updates, and incremental improvements. The latest release is 2.4.67, which addresses 11 CVEs -- including a critical HTTP/2 double-free vulnerability -- and brings updated submodule versions for mod_md and mod_http2. The summary below covers the full arc of changes across the 2.4 branch.
| Category | Highlights |
|---|---|
| New Features | Event MPM promoted to fully supported; run-time loadable MPMs; HTTP/2 support via mod_http2 (2.4.17+); Brotli compression via mod_brotli (2.4.26+); ACME/Let's Encrypt automation via mod_md (2.4.30+); Redis object cache via mod_socache_redis (2.4.39+); systemd integration via mod_systemd (2.4.42+); FastCGI authorization via mod_authnz_fcgi; WebSocket tunneling via mod_proxy_wstunnel; form-based auth via mod_auth_form; Lua scripting via mod_lua; per-request <If>/<ElseIf>/<Else> config blocks; general-purpose expression parser |
| Improvements | mod_ssl: OCSP stapling, TLS 1.3 support (requires OpenSSL 1.1.1, httpd 2.4.43+), EC key support, memcached session sharing; mod_proxy: Unix domain socket backends, configurable source address; mod_cache: stale serving on 5xx, per-directory settings, X-Cache headers; mod_rewrite: QSD and END flags, SQL rewrite maps; AllowOverrideList for fine-grained .htaccess control; KeepAliveTimeout in milliseconds; mod_http2 updated to 2.0.39; mod_md updated to 2.6.10; mime.types updated with HEIC, HEIF, vnd.sqlite3 |
| Bug Fixes | HTTP/2 double-free (CVE-2026-23918); RewriteCond expr always-true regression (CVE-2025-54090); mod_md integer overflow in ACME retry backoff (CVE-2025-55753); SSI exec cmd query string injection via mod_cgid (CVE-2025-58098); mod_authn_socache NULL dereference crash in forward proxy (CVE-2026-33007); mod_dav_lock NULL dereference crash (CVE-2026-29169); mod_auth_digest timing attack bypass (CVE-2026-33006); HTTP response splitting in multiple modules (CVE-2026-33523, CVE-2024-42516) |
| Breaking Changes | Modules compiled for Apache 2.2 must be recompiled for 2.4; NameVirtualHost directive deprecated and no longer needed; TLS upgrade support (SSLEngine optional) removed in 2.4.64 to close CVE-2025-49812; header names containing invalid characters (including underscores) are no longer converted to CGI environment variables |
| Deprecations | Apache 2.2.x reached end-of-life; NameVirtualHost directive deprecated; ContentDigest directive slated for removal in the upcoming 2.6 branch; mod_dav_lock has no remaining known use-case and should be removed if not needed |
What security vulnerabilities were fixed in Apache HTTP Server 2.4.67?
Apache 2.4.67 is a mandatory security upgrade that patches 11 CVEs, including a critical HTTP/2 double-free that could allow remote code execution on servers running 2.4.66.
The most urgent fix is CVE-2026-23918 (CVSS 8.8) -- a double-free memory corruption bug in the HTTP/2 protocol handler. When a client sends a crafted "early stream reset" frame, the server attempts to free the same memory region twice, which can lead to code execution. This flaw is exclusive to 2.4.66 and was introduced by changes in the mod_http2 allocator. If you are running 2.4.66, treat this upgrade as critical.
The second high-impact fix is CVE-2026-24072, a privilege escalation via ap_expr that affects 2.4.66 and earlier. In configurations where users can write .htaccess files, they could read files with the privileges of the httpd process itself. Watch out for this on shared hosting platforms where AllowOverride is not tightly locked down.
The 2.4.67 release also addresses a cluster of memory safety bugs in mod_proxy_ajp:
- CVE-2026-28780 -- heap-based buffer overflow in ajp_msg_check_header(), triggerable by a malicious AJP backend
- CVE-2026-33857 -- off-by-one out-of-bounds reads in AJP getter functions
- CVE-2026-34032 -- heap buffer over-read due to missing null-termination in ajp_msg_get_string()
- CVE-2026-34059 -- heap over-read and memory disclosure in ajp_parse_data()
In practice, these AJP flaws require an attacker to control or spoof the AJP backend (e.g. a compromised Tomcat instance). They are rated low individually, but together they represent a significant attack surface if your AJP backend is exposed to untrusted network paths. The standard mitigation is to bind mod_proxy_ajp to localhost and use a firewall rule to block external AJP access (port 8009).
Additional fixes in 2.4.67 include a mod_auth_digest timing attack (CVE-2026-33006) that allows authentication bypass, a mod_authn_socache NULL dereference (CVE-2026-33007) that crashes child processes in caching proxy setups, and HTTP response splitting via compromised backend servers (CVE-2026-33523).
A patch for mod_md (CVE-2026-29168) fixes unrestricted memory allocation via crafted OCSP response data -- relevant for any site using Let's Encrypt automation through mod_md.
What were the major security fixes in Apache HTTP Server 2.4.64 through 2.4.66?
The 2.4.64 and 2.4.66 releases addressed a dense wave of vulnerabilities, many of which had been tracked since 2024 but required significant research or patching effort before fixes were ready.
2.4.64 highlights:
- CVE-2025-49812 -- HTTP desynchronization (ALPACA-class) attack via SSLEngine optional. A man-in-the-middle attacker could hijack an HTTP session during a TLS upgrade. The fix in 2.4.64 removes TLS upgrade support entirely. If you relied on SSLEngine optional, review your vhost configuration before upgrading.
- CVE-2025-23048 -- mod_ssl TLS 1.3 session resumption bypass. In multi-vhost setups using separate SSLCACertificateFile per vhost, a client trusted on one vhost could access another. Affected 2.4.35 through 2.4.63. The fix requires SSLStrictSNIVHostCheck or upgrading.
- CVE-2024-43394 -- SSRF via UNC paths on Windows. Apache on Windows with AllowEncodedSlashes On and MergeSlashes Off could be coerced into leaking NTLM hashes to an attacker-controlled SMB server via mod_rewrite or ap_expr expressions.
- CVE-2024-42516 -- HTTP response splitting (a reclassification of CVE-2023-38709 whose 2.4.59 patch was incomplete). Attackers who can influence Content-Type response headers can inject a crafted response that splits the HTTP stream.
- CVE-2025-53020 -- HTTP/2 memory growth leading to denial of service, affecting 2.4.17 through 2.4.63.
2.4.65 was a rapid hotfix release correcting a critical regression introduced in 2.4.64: CVE-2025-54090 caused all "RewriteCond expr ..." expressions to evaluate as true, effectively disabling conditional rewrite logic across the board. Any team running 2.4.64 in production with mod_rewrite in use was vulnerable to logic bypass. This is a textbook example of why testing canary deployments before full rollout matters.
2.4.66 highlights:
- CVE-2025-58098 -- mod_cgid (not mod_cgi) passes the shell-escaped query string to SSI #exec cmd= directives. Affects all prior 2.4.x when SSI is enabled with mod_cgid.
- CVE-2025-59775 -- Windows-only NTLM leakage via UNC SSRF (a new variant beyond CVE-2024-43394, reported by Orange Tsai).
- CVE-2025-66200 -- mod_userdir + suexec privilege bypass. Users with access to RequestHeader in .htaccess could cause CGI scripts to execute under an unexpected user ID. Affects 2.4.7 through 2.4.65.
- CVE-2025-65082 -- CGI environment variable override. Apache config-level environment variables unexpectedly superseded server-calculated variables for CGI programs, allowing configuration-based manipulation of CGI behavior.
- CVE-2025-55753 -- mod_md integer overflow causing the ACME certificate renewal backoff timer to reach zero after roughly 30 days of failures, triggering a tight retry loop that hammers the ACME endpoint.
What major new modules and features did the Apache 2.4 branch introduce compared to 2.2?
Apache 2.4 is a generational upgrade over 2.2, introducing production-grade HTTP/2, ACME certificate automation, the Event MPM, Brotli compression, and a greatly expanded proxy ecosystem.
The most impactful addition for modern infrastructure is mod_http2 (available since 2.4.17), which enables the HTTP/2 transport layer. HTTP/2 brings multiplexed streams, header compression, and server push over a single TLS connection. Most teams enable it with a minimal configuration change:
Protocols h2 http/1.1
H2Direct onmod_md (available since 2.4.30) automates TLS certificate provisioning via the ACME protocol -- the same mechanism used by Let's Encrypt. It handles certificate issuance, renewal, and OCSP stapling without manual intervention. This matters if you manage dozens or hundreds of vhosts; manual certificate renewal at scale is operationally unsustainable.
mod_brotli (available since 2.4.26) adds Brotli compression alongside the long-standing mod_deflate (gzip). Brotli typically achieves 15--25% better compression ratios than gzip for text-based assets. Most teams configure both, with Brotli preferred where the client indicates support via Accept-Encoding.
The Event MPM, promoted from experimental to fully supported in 2.4, decouples idle keepalive connections from worker threads. In practice this dramatically improves connection concurrency under load compared to the Prefork and Worker MPMs, particularly with SSL and HTTP/2 traffic.
The proxy module ecosystem expanded significantly:
- mod_proxy_fcgi -- FastCGI backend, the standard for PHP-FPM
- mod_proxy_wstunnel (2.4.5+) -- WebSocket tunneling for Node.js and similar backends
- mod_proxy_http2 (2.4.19+) -- HTTP/2 backend support for reverse proxy setups
- mod_proxy_uwsgi (2.4.30+) -- uWSGI gateway for Python applications
- mod_proxy_hcheck (2.4.21+) -- independent health checks for backend servers
- mod_proxy_express -- dynamically configured mass reverse proxy
mod_systemd (available since 2.4.42) integrates httpd with systemd's service notification protocol (Type=notify), enabling proper startup sequencing and readiness signaling in systemd-managed environments.
mod_socache_redis (available since 2.4.39) adds Redis as a shared object cache provider, useful for SSL session caching and authentication caching in multi-server clusters.
What configuration and behavioral changes in Apache 2.4 require attention when upgrading from 2.2?
Upgrading from Apache 2.2 to 2.4 requires configuration review in several areas -- access control syntax changed completely, and several behaviors were tightened in ways that silently break legacy setups.
The most common migration issue is access control syntax. The 2.2 Order/Allow/Deny directives are replaced in 2.4 by Require-based authorization:
# Apache 2.2 (no longer valid in 2.4 without mod_access_compat)
Order allow,deny
Allow from all
# Apache 2.4 equivalent
Require all grantedMost distributions ship mod_access_compat to ease this transition, but relying on it long-term is not recommended. Review every Directory and Location block before upgrading.
Header names with underscores are no longer converted to CGI environment variables. If your CGI scripts or FastCGI applications expect header names like X_Custom_Header to arrive as environment variables, they will silently disappear in 2.4. Switch to hyphens (X-Custom-Header) or use the HTTPD_CGI_PASS_ERROR_HEADERS workaround documented in the Apache environment variables guide.
NameVirtualHost is deprecated. In 2.4, name-based virtual hosting is the default and the directive is ignored. Remove it from configurations to avoid confusion.
All modules compiled for 2.2 must be recompiled for 2.4. The API changed. Third-party modules in particular -- mod_security, mod_pagespeed, custom modules -- need updated versions built against the 2.4 headers. This is non-negotiable and cannot be skipped.
AllowOverride and AllowOverrideList give finer-grained control over what .htaccess files can do. The new AllowOverrideList directive lets you permit specific directives without opening up an entire category, which is useful for multi-tenant environments where you need to allow rewrites but not authentication overrides.
This matters if you are running a platform where customers can deploy .htaccess files -- the combination of CVE-2026-24072 (privilege escalation via ap_expr in .htaccess) and the 2.4.66 codebase is a strong argument for auditing AllowOverride settings and upgrading to 2.4.67 promptly.
Frequently Asked Questions about Apache HTTP Server 2.4
Is Apache HTTP Server 2.4.67 safe to run in production, and what is the urgency of upgrading from 2.4.66?
If you are running 2.4.66, the upgrade to 2.4.67 is urgent due to CVE-2026-23918, a double-free vulnerability in the HTTP/2 handler that can allow remote code execution. Any server with HTTP/2 enabled (Protocols h2 http/1.1) and internet-facing exposure should be patched without delay. Servers running 2.4.65 or earlier do not carry that specific CVE but should still upgrade to benefit from the AJP, mod_auth_digest, and mod_authn_socache fixes addressed in 2.4.67.
What happened to the RewriteCond regression in Apache 2.4.64?
Apache 2.4.64 introduced a bug tracked as CVE-2025-54090 where all "RewriteCond expr ..." expressions evaluated as true regardless of the actual condition, effectively bypassing all conditional rewrite logic. The 2.4.65 hotfix release corrected this within days. Teams running 2.4.64 should verify they have moved to at least 2.4.65 to restore correct mod_rewrite behavior.
Does Apache 2.4 support HTTP/2 out of the box, and what is required to enable it?
HTTP/2 is provided by mod_http2, available since 2.4.17, which must be built or loaded explicitly. The server must be running on TLS (HTTPS) for browser clients because all major browsers require TLS for HTTP/2. The minimum configuration to enable it is to load mod_http2 and add "Protocols h2 http/1.1" to the server or vhost configuration. Apache must also be built against a sufficiently modern OpenSSL, and TLS 1.3 operation specifically requires OpenSSL 1.1.1 and Apache 2.4.43 or newer.
How does mod_md automate TLS certificate renewal, and what bug was fixed in 2.4.66?
mod_md implements the ACME protocol to communicate with certificate authorities such as Let's Encrypt. It handles initial certificate issuance, tracks expiry, renews certificates automatically before they expire, and manages OCSP stapling. A bug fixed in 2.4.66 (CVE-2025-55753) caused an integer overflow in the ACME retry backoff counter: after roughly 30 days of renewal failures the backoff timer wrapped to zero, causing the module to hammer the ACME endpoint continuously with no delay until the renewal succeeded. Operators running mod_md should also note that 2.4.67 updates mod_md to version 2.6.10 with additional fixes around certificate renewal job state tracking.
Are there security concerns specific to running Apache on Windows with mod_proxy or mod_rewrite?
Yes. Windows installations have been the subject of several SSRF vulnerabilities in the 2.4 branch related to UNC path handling. CVE-2024-43394 (fixed in 2.4.64) allowed NTLM hash leakage via mod_rewrite or ap_expr expressions that passed unvalidated UNC paths. CVE-2025-59775 (fixed in 2.4.66) covered a related variant using AllowEncodedSlashes On combined with MergeSlashes Off. Windows administrators should ensure they are on 2.4.67 and should limit the set of hosts the server can connect to over SMB at the OS firewall level, since NTLM authentication is transparent and hard to suppress at the httpd config layer.
What is the fastest way to verify which Apache 2.4 CVEs a running server is exposed to?
Run "httpd -v" or "apache2 -v" to confirm the installed version, then cross-reference against the official Apache httpd security page at httpd.apache.org/security/vulnerabilities_24.html. Each CVE entry lists the affected version range explicitly. For example, CVE-2026-23918 affects only 2.4.66, while CVE-2026-24072 affects all versions through 2.4.66. If you use a Linux distribution's packaged httpd, the version string alone may not reflect backported patches; consult the distribution's security advisory tracker (such as Red Hat RHSA or Debian DSA) to confirm which CVEs have been addressed in your installed package.