CVE-2025-65082
published 2025-12-05CVE-2025-65082: Improper Neutralization of Escape, Meta, or Control Sequences vulnerability in Apache HTTP Server through environment variables set via the Apache…
medium6.5CVSS 3.1
AVNACLPRNUINSUCLILAN
Improper Neutralization of Escape, Meta, or Control Sequences vulnerability in Apache HTTP Server through environment variables set via the Apache configuration unexpectedly superseding variables calculated by the server for CGI programs.
This issue affects Apache HTTP Server from 2.4.0 through 2.4.65.
Users are recommended to upgrade to version 2.4.66 which fixes the issue.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apache | http_server | >= 2.4.0 < 2.4.66 | 2.4.66 |
| apache_software_foundation | apache_http_server | 2.4.0 – 2.4.65 | — |
| debian | apache2 | < apache2 2.4.66-1~deb12u1 (bookworm) | apache2 2.4.66-1~deb12u1 (bookworm) |
| msrc | azl3_httpd_2.4.65-1_on_azure_linux_3.0 | — | — |
| msrc | cbl2_httpd_2.4.65-1_on_cbl_mariner_2.0 | — | — |
| ubuntu | apache2 | — | — |
CVSS provenance
nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
osv7.5HIGH