CVE-2025-65082

MEDIUM6.5EPSS 0.14%

Apache HTTP Server: CGI environment variable override

Published: 12/5/2025Modified: 4/28/2026

Description

Improper Neutralization of Escape, Meta, or Control Sequences vulnerability in Apache HTTP Server through environment variables set via the Apache configuration unexpectedly superseding variables calculated by the server for CGI programs. This issue affects Apache HTTP Server from 2.4.0 through 2.4.65. Users are recommended to upgrade to version 2.4.66 which fixes the issue.

Affected packages (3)

Alpine/apache2from 0, < 2.4.66-r0
Bitnami/apache>= 2.4.0, < 2.4.66
Debian/apache2from 0, < 2.4.66-1~deb11u1

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM6.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

References (5)

ADVISORYhttps://security.alpinelinux.org/vuln/CVE-2025-65082
ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2025-65082
WEBhttps://httpd.apache.org/security/vulnerabilities_24.html
WEBhttps://nvd.nist.gov/vuln/detail/CVE-2025-65082
WEBhttp://www.openwall.com/lists/oss-security/2025/12/04/7