How i discovered the CVE-2025-49630 — a reachable assertion in h2_proxy_util.c that crashes all Apache workers with a single netcat command. Affects Apache 2.4.26 through 2.4.63. Fixed in 2.4.64.
Offensive security research, red teaming, infrastructure and AI security — explored through real-world scenarios.
Vulnerability discovery, 1-day analysis, attack surface mapping, pentesting tradecraft, and tooling experiments — documented as I go. No filler. No recycled theory. If it is here, it was tested, broken, or built.
1-Day Analysis: CVE-2024-38477 — NULL Pointer Dereference in Apache mod_proxy
1-day analysis of CVE-2024-38477: a NULL pointer dereference in ap_proxy_determine_connection() when apr_uri_parse() returns success but leaves hostname NULL. Includes patch diff, GDB crash validation, and an honest account of failed exploitation attempts.
From Cookie Parser to Crash: Root Cause Analysis of CVE-2021-26690
Deep dive into CVE-2021-26690 — a NULL pointer dereference in Apache HTTP Server’s mod_session that allows unauthenticated remote DoS via a crafted Cookie header.