Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <f4b53f0f-f92c-c045-49bd-3538c39afbca@apache.org>
Date: Thu, 04 Dec 2025 14:44:58 +0000
From: Eric Covener <covener@...che.org>
To: oss-security@...ts.openwall.com
Subject: CVE-2025-65082: Apache HTTP Server: CGI environment variable
 override 

Severity: low 

Affected versions:

- Apache HTTP Server 2.4.0 through 2.4.65

Description:

Improper Neutralization of Escape, Meta, or Control Sequences vulnerability in Apache HTTP Server through environment variables set via the Apache configuration unexpectedly superseding variables calculated by the server for CGI programs.

This issue affects Apache HTTP Server from 2.4.0 through 2.4.65.

Users are recommended to upgrade to version 2.4.66 which fixes the issue.

Credit:

Mattias Åsander (Umeå University) (finder)

References:

https://httpd.apache.org/security/vulnerabilities_24.html`
https://httpd.apache.org/
https://www.cve.org/CVERecord?id=CVE-2025-65082

Timeline:

2025-11-14: reported
2025-12-01: fixed in 2.4.x by r1930167

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.