CVE-2025-65082

CVSS v3.1

6.5

Medium

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Name of the Vulnerable Software and Affected Versions Apache HTTP Server versions 2.4.0 through 2.4.65

Description An issue exists in Apache HTTP Server where improper neutralization of escape, meta, or control sequences can occur through environment variables set via the Apache configuration. This allows unexpectedly superseding of variables calculated by the server for CGI programs. The issue affects the handling of CGI programs and their environment variables. No information was provided regarding the number of potentially affected devices or any real-world incidents where this issue was exploited. The vulnerability involves the manipulation of environment variables used by CGI programs, potentially leading to unexpected behavior or code execution. Specifically, environment variables configured in the Apache configuration can override those calculated by the server itself.

Recommendations Upgrade to version 2.4.66 to resolve the issue.

Fix

RCE

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-150

Related Identifiers

ALSA-2025:23732

ALSA-2025:23919

ALSA-2025:23932

AZL-71525

AZL-71596

BDU:2025-15637

BIT-APACHE-2025-65082

CVE-2025-65082

MGASA-2025-0322

OESA-2026-1527

OESA-2026-1528

OESA-2026-1529

OESA-2026-1592

OESA-2026-1593

OPENSUSE-SU-2025:15808-1

OPENSUSE-SU-2026:20030-1

OPENSUSE-SU-2026:20810-1

RHSA-2026:2994

RHSA-2026:5156

SUSE-SU-2025:4488-1

SUSE-SU-2025:4518-1

SUSE-SU-2026:0019-1

SUSE-SU-2026:0020-1

SUSE-SU-2026:20081-1

SUSE-SU-2026:21846-1

USN-7968-1

USN-8338-1

ZDI-26-063

Affected Products

Alt Linux

Almalinux

Apache Http Server

Centos

Debian

Linuxmint

Apple Macos

Red Hat

Red Os

Rocky Linux

Ubuntu

CVE-2025-65082

Weakness Enumeration

Related Identifiers

Affected Products

References · 122