The Apache Software Foundation has released a security patch to address a vulnerability in its HTTP Web Server project that has been actively exploited in the wild.

Tracked as CVE-2021-41773, the vulnerability affects only Apache web servers running version 2.4.49 and occurs because of a bug in how the Apache server converts between different URL path schemes a process called path or URI normalization.

An attacker could use a path traversal attack to map URLs to files outside the expected document root, the ASF team said in the Apache HTTP Server 2.4.50 changelog. If files outside of the document root are not protected by ‘require all denied ‘these requests can succeed. Additionally, this flaw could leak the source of interpreted files like CGI scripts.

Hours after the 2.4.50 version was released, several security researchers were able to reproduce the vulnerability and release multiple proof-of-concept exploits on Twitter and GitHub.

Currently, the Apache HTTP Server is either #1 or #2 on the list of today’s most used web servers, with more than 120,000 servers currently exposed online to attacks. The good news is that not all run the latest version, and administrators can easily mitigate the zero-day attacks by skipping the 2.4.49 version and upgrading to 2.4.50 directly.