Gotenberg SSRF scores 9.4, Apache httpd double-free enables RCE

A double-free bug in Apache HTTP Server's HTTP/2 handling can be triggered when a client sends an early stream reset. This could lead to remote code execution. No authentication is required, and any internet-facing Apache instance with mod_http2 enabled is a target.

Included because

unauthenticated; internet-facing; possible RCE; CVSS 8.8; extremely common product

Affected estate

Apache httpd 2.4.66-1 on Azure Linux 3.0 and CBL Mariner 2.0. Any other distro shipping httpd 2.4.66 or earlier with mod_http2 loaded.

How to check

Run `httpd -v` to confirm the version and `httpd -M | grep http2` to confirm HTTP/2 is loaded.

Action

Patch httpd to the fixed package version via your distro's package manager and restart the service.

Urgency

Patch within 24 hours

Why it matters

A double-free in a network-facing process is a classic path to remote code execution, and HTTP/2 is enabled by default in many deployments.

Source

Apache Software Foundation advisory

A kernel bug in the vidtv virtual DVB driver passes structs by value incorrectly, causing uninitialized memory reads flagged by MSAN. Exploitation requires local access and use of the vidtv test driver, which most production systems never load.

Included because

local only; uncommon module; CVSS 7.1 but low practical exposure

Affected estate

Azure Linux 3.0 systems running kernel 6.6.134.1-2 with the vidtv module loaded.

How to check

Run `uname -r` to check the kernel version and `lsmod | grep vidtv` to see if the driver is loaded.

Action

Apply the updated kernel package during your next scheduled maintenance window.

Urgency

Monitor and patch

Why it matters

Low real-world risk since vidtv is a test driver rarely loaded in production, but the kernel update keeps your patch baseline current.

Source

Azure Linux advisory

Kiota's built-in HTTP redirect handler forwards Cookie and Proxy-Authorization headers when it follows a redirect to a different host. If your app talks to an external API that issues a cross-host redirect, those credentials leak to the second server. Exploitation requires a redirect scenario, but that's easy for an attacker who controls or compromises the target API.

Included because

credential leak; cross-host redirect; multi-language SDK; CVSS 7.0

Affected estate

Any application using microsoft-kiota-abstractions (NuGet/Maven), microsoft-kiota-http (pip), kiota-typescript (npm), or kiota-http-go.

How to check

Search your dependency manifests (pom.xml, .csproj, requirements.txt, package.json, go.mod) for the affected Kiota packages and check the version.

Action

Upgrade to the patched Kiota package version for your language, rebuild, and redeploy.

Urgency

Patch this week

Why it matters

Leaked auth headers on cross-host redirects can hand session tokens or proxy credentials to an attacker-controlled server.

Source

Microsoft advisory

Gotenberg's downloadFrom and webhook features have a server-side request forgery (SSRF) bug that bypasses the default deny-list. An unauthenticated attacker can make your Gotenberg instance fetch internal URLs, potentially reaching cloud metadata endpoints, internal APIs, or other services behind your firewall. CVSS 9.4, so treat this seriously.

Included because

unauthenticated; internet-facing; SSRF with deny-list bypass; CVSS 9.4

Affected estate

Gotenberg v8 instances (Go module github.com/gotenberg/gotenberg/v8) with downloadFrom or webhook functionality accessible.

How to check

Check your running Gotenberg container image tag or run `gotenberg --version`. Review whether the API is exposed without authentication.

Action

Pull the patched Gotenberg v8 image, redeploy, and confirm your network segmentation blocks access to cloud metadata (169.254.169.254) and internal services.

Urgency

Patch immediately

Why it matters

Unauthenticated SSRF at CVSS 9.4 lets an attacker pivot through your Gotenberg instance to reach internal services, steal cloud credentials from metadata endpoints, or probe your network.

Source

GitHub