Apache HTTP Server 2.4.49: a path-traversal fix that needed a second fix

In October 2021, Apache HTTP Server 2.4.49 shipped with a path-traversal flaw, CVE-2021-41773: a change to how the server normalized URL paths let an attacker use encoded ../ sequences to read files outside the document root, and where mod_cgi was enabled, escalate that to remote code execution. The httpd team released 2.4.50 to fix it. Within days, researchers showed the fix was incomplete, a different encoding bypassed it, and CVE-2021-42013 was assigned, requiring 2.4.51. Two CVEs, one underlying weakness, days apart: a textbook patch-the-patch, and both were mass-exploited because Apache httpd is everywhere and the exploit was trivial.

What the bugs are

CVE-2021-41773 stemmed from a path-normalization change in 2.4.49 that failed to reject traversal sequences in certain encodings, allowing access to files outside directories configured with require all denied. With CGI scripts enabled, the traversal could reach an interpreter and execute commands. CVE-2021-42013 is the bypass of the 2.4.50 fix, using double-encoding to defeat the incomplete patch. Only 2.4.49 and 2.4.50 were affected (a recent regression, not a long-standing bug), but those versions saw rapid adoption, and CISA lists both with the ransomware flag. Public exploits and mass scanning appeared almost immediately.

The lesson: incomplete fixes, and a near-miss on the danger

Two things stand out:

• The patch-the-patch pattern, again. As with the Log4Shell cascade and the SmartScreen narrow-fix bypass, the first fix (2.4.50) addressed the specific encoding the proof-of-concept used, not the full normalization weakness, so a variant bypassed it within days. The operational takeaway is to not close the ticket on the first patch during a fast-moving event; watch for the follow-up CVE, which for path-traversal and parsing bugs is common.
• The exposure depended on configuration. The pure file-disclosure impact required directories not protected by the default require all denied, and the RCE escalation required CGI to be enabled. So the worst outcomes hit specific configurations, but file disclosure alone (reading config files, credentials) is serious, and many servers were exploitable.

What to do

• Upgrade to Apache httpd 2.4.51 or later. If you’re on 2.4.49 or 2.4.50, you’re exposed to one or both bugs; 2.4.51 closes the full normalization weakness. Anything older than 2.4.49 was never affected by this specific regression, but should be current regardless.
• Audit your directory access controls. Ensure filesystem directories are protected with require all denied by default, so a traversal can’t read them, and only open what’s intended.
• Disable CGI where you don’t need it. mod_cgi/mod_cgid is the escalation path from file-read to RCE here; if your site doesn’t use CGI, don’t load it.
• Assume compromise on exposed 2.4.49/2.4.50 servers from the October 2021 window and hunt for file-disclosure access to sensitive paths and, where CGI was on, web shells and command execution.
• During fast vuln events, track the follow-up. Build the expectation of a patch-the-patch into your process; the first fix for a parsing/traversal bug is often revised.

The reframe is the recurring patch-quality one: a fix that stops the published exploit isn’t necessarily a fix for the bug, and Apache’s 2.4.49-to-2.4.51 sequence is a tight, fast example, an incomplete fix bypassed within days. Get to 2.4.51, lock down your directory controls and CGI, and don’t assume the first emergency patch was the last one. We flag the patch-bypass entries because they’re the cases where “we patched it” was briefly, dangerously, untrue.

Sources

• CISA Known Exploited Vulnerabilities Catalog
• NVD CVE-2021-41773 — 2021-10
• NVD CVE-2021-42013 — 2021-10
• Apache HTTP Server 2.4.51 security advisory — 2021-10