Unrated severityNVD Advisory· Published Dec 5, 2025· Updated Dec 5, 2025

Apache HTTP Server: CGI environment variable override

CVE-2025-65082

Description

Improper Neutralization of Escape, Meta, or Control Sequences vulnerability in Apache HTTP Server through environment variables set via the Apache configuration unexpectedly superseding variables calculated by the server for CGI programs.

This issue affects Apache HTTP Server from 2.4.0 through 2.4.65.

Users are recommended to upgrade to version 2.4.66 which fixes the issue.

Affected products

Apache/HTTP Serverllm-fuzzy
Range: >=2.4.0 <=2.4.65
Apache Software Foundation/Apache HTTP Serverv5
Range: 2.4.0

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

httpd.apache.org/security/vulnerabilities_24.htmlmitrevendor-advisory

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000