CVE-2025-65082
MEDIUMApache HTTP Server 2.4.0-2.4.65 - Environment Variable Injection via CGI Configuration
Title source: llmDescription
Improper Neutralization of Escape, Meta, or Control Sequences vulnerability in Apache HTTP Server through environment variables set via the Apache configuration unexpectedly superseding variables calculated by the server for CGI programs. This issue affects Apache HTTP Server from 2.4.0 through 2.4.65. Users are recommended to upgrade to version 2.4.66 which fixes the issue.
References (2)
Core 2
Core References
Vendor Advisory vendor-advisory
https://httpd.apache.org/security/vulnerabilities_24.html
Issue Tracking, Third Party Advisory
http://www.openwall.com/lists/oss-security/2025/12/04/7
Scores
CVSS v3
6.5
EPSS
0.0014
EPSS Percentile
34.4%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-150
Status
published
Products (1)
apache/http_server
2.4.0 - 2.4.66
Published
Dec 05, 2025
Tracked Since
Feb 18, 2026