Version 2.4.18 relied on older logic regarding session handling. In subsequent versions (specifically around 2.4.25), fixes were applied regarding how mod_session handles cookies. While less "flashy" than injection attacks, session handling vulnerabilities can lead to session hijacking or privilege escalation if the session storage is manipulated.

– HTTP Request Smuggling

Apache 2.4.18 served its purpose in 2015, but it is a liability in the modern threat landscape. With vulnerabilities ranging from CRLF injection to HTTP request smuggling, it represents a clear and present danger to any network infrastructure.

: The nonce used in HTTP Digest authentication is not generated with a secure random seed, allowing attackers to replay requests across a cluster.

: A failure to correctly validate X.509 certificates in experimental HTTP/2 modules can allow unauthenticated users to bypass security controls. Summary of Service Risks Apache HTTP Server 2.4 vulnerabilities