CVE-2025-65082

Summary

Improper Neutralization of Escape, Meta, or Control Sequences vulnerability in Apache HTTP Server through environment variables set via the Apache configuration unexpectedly superseding variables calculated by the server for CGI programs.

This issue affects Apache HTTP Server from 2.4.0 through 2.4.65.

Users are recommended to upgrade to version 2.4.66 which fixes the issue.

Affected Software

VendorProductVersion RangeStatus
Apache Software FoundationApache HTTP Server2.4.0 <= 2.4.65affected

Weaknesses

  • CWE-150: CWE-150 Improper Neutralization of Escape, Meta, or Control Sequences

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References