PT-2025-49181 · Apache+10 · Apache Http Server+10

Anthony Parfenov

·

Published

2025-01-01

·

Updated

2026-05-28

·

CVE-2025-58098

CVSS v2.0

8.7

High

VectorAV:N/AC:L/Au:S/C:C/I:C/A:P
Name of the Vulnerable Software and Affected Versions Apache HTTP Server versions prior to 2.4.66
Description The Apache HTTP Server, when configured with Server Side Includes (SSI) enabled and utilizing mod cgid (but not mod cgi), improperly handles shell-escaped query strings passed to #exec cmd="..." directives. This can lead to command execution. The issue occurs when the server passes the shell-escaped query string to the cmd attribute within the #exec directive.
Recommendations Upgrade to version 2.4.66 or later.

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-201

Related Identifiers

ALSA-2025:23732
ALSA-2025:23919
ALSA-2025:23932
AZL-71860
AZL-71867
BDU:2025-15635
BIT-APACHE-2025-58098
CVE-2025-58098
MGASA-2025-0322
OESA-2026-1527
OESA-2026-1528
OESA-2026-1529
OESA-2026-1592
OESA-2026-1593
OPENSUSE-SU-2025:15808-1
OPENSUSE-SU-2026:20030-1
OPENSUSE-SU-2026:20810-1
RHSA-2025:23919
RHSA-2025:23932
RHSA-2026:0009
RHSA-2026:0010
RHSA-2026:0011
RHSA-2026:0012
RHSA-2026:0074
RHSA-2026:0075
RHSA-2026:0090
RHSA-2026:0095
RHSA-2026:0139
RHSA-2026:0141
RHSA-2026:0171
RHSA-2026:2994
RHSA-2026:5156
SUSE-SU-2025:4488-1
SUSE-SU-2025:4518-1
SUSE-SU-2026:0019-1
SUSE-SU-2026:0020-1
SUSE-SU-2026:20081-1
SUSE-SU-2026:21846-1
USN-7968-1
USN-8338-1

Affected Products

Alt Linux
Almalinux
Apache Http Server
Centos
Debian
Linuxmint
Apple Macos
Red Hat
Red Os
Rocky Linux
Ubuntu