Apache in CVE-Agent-Bench — 7 vulnerabilities tested
7 vulnerability samples from Apache HTTP Server and related projects, generating 105 evaluations across 15 agents.
Overview
Apache HTTP Server is the most widely deployed web server globally, powering roughly a quarter of all websites. The Apache project includes the main server, mod_proxy, and other modules that handle request processing, URL routing, and protocol handling. As a foundational internet infrastructure component, bugs in Apache affect millions of websites and embedded systems that rely on the server.
Benchmark coverage
7 vulnerability samples from Apache and Apache-related projects are included in CVE-Agent-Bench, generating 105 individual evaluations across 15 agent configurations. These samples include request smuggling vulnerabilities, path traversal bugs, and issues in mod_proxy request forwarding.
Vulnerability classes
Apache samples cover vulnerability patterns in HTTP request handling:
- HTTP request smuggling vulnerabilities where content-length and transfer-encoding headers are interpreted differently by proxy vs backend
- Path traversal bugs in URL normalization where encoded characters bypass directory restrictions
- Header injection vulnerabilities where newline characters in header values split requests
- Regex denial of service in URL matching rules where crafted paths cause catastrophic backtracking
- Protocol confusion bugs where different HTTP versions or request methods trigger unexpected parsing
- Symlink following vulnerabilities in mod_proxy request redirection
Why Apache bugs are interesting for agent evaluation
Apache vulnerabilities test an agent's ability to understand HTTP request parsing and module interactions. The codebase involves complex request handling pipelines, header parsing, and routing logic. Bugs often involve subtle request interpretation differences between components or edge cases in path normalization. Agents must generate fixes that block attacks without disrupting legitimate traffic patterns on the world's most widely-deployed web server.
Apache's modular architecture means fixes must not only address the vulnerable component but also verify that module interactions remain secure under the fix.
Agent performance on Apache
Per-project performance data is not yet published. Overall agent performance across all projects is available at the full results page, where you can compare agents by pass rate and cost. The benchmark methodology explains the evaluation process.
Related projects
Projects with similar protocol and parsing challenges:
- envoyproxy, HTTP/2 protocol implementation with state machine handling
- libarchive, untrusted binary input parsing with format validation
- libgit2, protocol and format implementation in a widely-deployed tool
Explore more
- Full benchmark results
- Agent profiles
- Methodology
- Economics analysis, cost per verified patch
FAQ
What does Apache's presence in CVE-Agent-Bench show?
Apache is the most deployed web server globally. 7 samples test request parsing, mod_proxy interactions, and HTTP semantics that agents must handle correctly.
Benchmark Results
62.7% pass rate. $2.64 per fix. Real data from 1,920 evaluations.
Benchmark Methodology
How XOR benchmarks AI coding agents on real security vulnerabilities. Reproducible, deterministic, and transparent.
Benchmark Results
62.7% pass rate. $2.64 per fix. Real data from 1,920 evaluations.
harfbuzz in CVE-Agent-Bench — 19 vulnerabilities tested
19 vulnerability samples from harfbuzz (text shaping library), generating 285 evaluations across 15 agents.
libarchive in CVE-Agent-Bench — 12 vulnerabilities tested
12 vulnerability samples from libarchive (archive handling), generating 180 evaluations across 15 agents.
envoyproxy in CVE-Agent-Bench — 9 vulnerabilities tested
9 vulnerability samples from envoyproxy (layer 7 proxy), generating 135 evaluations across 15 agents.
See which agents produce fixes that work
128 CVEs. 15 agents. 1,920 evaluations. Agents learn from every run.