CVE-2025-65082

CWE-15011 documents9 sources
Severity
6.5MEDIUM
EPSS
0.2%
top 62.58%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Apache Http ServerApache Software Foundation Apache Http Server
Timeline
PublishedDec 5
Latest updateJan 19

Description

Improper Neutralization of Escape, Meta, or Control Sequences vulnerability in Apache HTTP Server through environment variables set via the Apache configuration unexpectedly superseding variables calculated by the server for CGI programs. This issue affects Apache HTTP Server from 2.4.0 through 2.4.65. Users are recommended to upgrade to version 2.4.66 which fixes the issue.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:NExploitability: 3.9 | Impact: 2.5

Affected Packages4 packages

NVDapache/http_server2.4.02.4.66
Alpineapache2< 2.4.66-r0+3
Debianapache2< 2.4.66-1~deb11u1+3

🔴Vulnerability Details

5
OSV
apache2 vulnerabilities2026-01-19
OSV
CVE-2025-65082: Improper Neutralization of Escape, Meta, or Control Sequences vulnerability in Apache HTTP Server through environment variables set via the Apache con2025-12-05
GHSA
GHSA-768g-4qpg-32w7: Improper Neutralization of Escape, Meta, or Control Sequences vulnerability in Apache HTTP Server through environment variables set via the Apache con2025-12-05
OSV
CVE-2025-65082: Improper Neutralization of Escape, Meta, or Control Sequences vulnerability in Apache HTTP Server through environment variables set via the Apache con2025-12-05
CVEList
Apache HTTP Server: CGI environment variable override2025-12-05

📋Vendor Advisories

5
Ubuntu
Apache HTTP Server vulnerabilities2026-01-19
Oracle
Oracle Oracle Secure Backup Risk Matrix: Oracle Secure Backup (Apache HTTP Server) — CVE-2025-650822026-01-15
Microsoft
Apache HTTP Server: CGI environment variable override2025-12-09
Red Hat
httpd: Apache HTTP Server: CGI environment variable override2025-12-05
Debian
CVE-2025-65082: apache2 - Improper Neutralization of Escape, Meta, or Control Sequences vulnerability in A...2025