Bug 2419141 (CVE-2025-59775)

Summary: CVE-2025-59775 httpd: Apache HTTP Server: NTLM Leakage on Windows via SSRF
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: chkhot, csutherl, jclere, pjindal, plodge, szappis, vchlup
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A server side request forgery flaw has been discovered in the Apache HTTP server. The Apache HTTP Server on Windows with AllowEncodedSlashes On and MergeSlashes Off allows to potentially leak NTLM hashes to a malicious server via SSRF and malicious requests or content.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description OSIDB Bzimport 2025-12-05 11:01:26 UTC 
Server-Side Request Forgery (SSRF) vulnerability 

 in Apache HTTP Server on Windows 

with AllowEncodedSlashes On and MergeSlashes Off  allows to potentially leak NTLM 
hashes to a malicious server via SSRF and malicious requests or content

Users are recommended to upgrade to version 2.4.66, which fixes the issue.