Several vulnerabilities have been identified in Apache HTTP Server versions 2.4.59 and earlier, posing significant security risks. One critical issue involves serving WebSocket protocol upgrades over an HTTP/2 connection, which can lead to a null pointer dereference, crashing the server and degrading performance. Another vulnerability in Windows-based systems allows Server-Side Request Forgery (SSRF), potentially leaking NTLM hashes to malicious servers. Additionally, improper URL encoding in the `mod_proxy` module can lead to requests bypassing authentication, while unsafe RewriteRules in the `mod_rewrite` module may enable attackers to execute scripts in unintended directories or disclose source code. In some cases, these RewriteRules can also cause SSRF, directing URLs to be processed by `mod_proxy` unexpectedly. To address these issues, users are strongly recommended to upgrade to version 2.4.60, which fixes these vulnerabilities. This update introduces new configurations such as the “UNCList” directive for handling UNC paths and flags like “UnsafeAllow3F” and “UnsafePrefixStat” to control the behavior of RewriteRules and ensure they operate safely.