Apache HTTP Server: CGI environment variable override_CVE-2025-65082

6.5 / 10

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Description

Improper Neutralization of Escape, Meta, or Control Sequences vulnerability in Apache HTTP Server through environment variables set via the Apache configuration unexpectedly superseding variables calculated by the server for CGI programs.

This issue affects Apache HTTP Server from 2.4.0 through 2.4.65.

Users are recommended to upgrade to version 2.4.66 which fixes the issue.

Basic Information

ID CVE-2025-65082

Source apache

Published Dec 5, 2025 at 10:46

Modified Dec 5, 2025 at 19:30

Affected Product

Vendor Apache Software Foundation

Product Apache HTTP Server

Version 2.4.0

Affected Versions Apache Software Foundation Apache HTTP Server 2.4.0

CWE Classification

CWE-150

References

httpd.apache.org /security/vulnerabilities_24.html

{
    "lastseen": "",
    "description": "Improper Neutralization of Escape, Meta, or Control Sequences vulnerability in Apache HTTP Server through environment variables set via the Apache configuration unexpectedly superseding variables calculated by the server for CGI programs.\n\nThis issue affects Apache HTTP Server from 2.4.0 through 2.4.65.\n\nUsers are recommended to upgrade to version 2.4.66 which fixes the issue.",
    "published": "2025-12-05T10:46:27.138Z",
    "modified": "2025-12-05T19:30:08.216Z",
    "type": "cve",
    "title": "Apache HTTP Server: CGI environment variable override",
    "source": "apache",
    "references": "https://httpd.apache.org/security/vulnerabilities_24.html",
    "id": "CVE-2025-65082",
    "bulletinFamily": "",
    "cwe": [
        "CWE-150"
    ],
    "cvelist": null,
    "sourceData": "Apache Software Foundation Apache HTTP Server 2.4.0",
    "sourceHref": "",
    "cvss": {
        "score": 6.5,
        "severity": "MEDIUM",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Apache HTTP Server",
    "version": "2.4.0",
    "vendor": "Apache Software Foundation",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}