Apache httpd versions 2.4.0 to 2.4.39 are vulnerable to a mod_rewrite open redirect vulnerability.
Redirects configured with mod_rewrite that were intended to be self-referential might be fooled by encoded newlines and redirect instead to an an unexpected URL within the request URL.
The issue was discovered by Yukitsugu Sasaki.
Upgrade to the latest version of Apache. This issue was fixed in Apache httpd 2.4.41.