Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <d01979ff-c708-ea40-1077-d829bea3f234@apache.org>
Date: Thu, 04 Dec 2025 14:42:31 +0000
From: Eric Covener <covener@...che.org>
To: oss-security@...ts.openwall.com
Subject: CVE-2025-58098: Apache HTTP Server: Server Side Includes adds
 query string to #exec cmd=... 

Severity: low 

Affected versions:

- Apache HTTP Server before 2.4.66

Description:

Apache HTTP Server 2.4.65 and earlier with Server Side Includes (SSI) enabled and mod_cgid (but not mod_cgi) passes the shell-escaped query string to #exec cmd="..." directives.

This issue affects Apache HTTP Server before 2.4.66.

Users are recommended to upgrade to version 2.4.66, which fixes the issue.

Credit:

Anthony Parfenov (United Rentals, Inc.) (finder)

References:

https://httpd.apache.org/security/vulnerabilities_24.html
https://httpd.apache.org/
https://www.cve.org/CVERecord?id=CVE-2025-58098

Timeline:

2025-08-21: Reported to security team
2025-12-01: fixed in 2.4.x by r1930165

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.