CVE-2025-65082
Public on 2025-12-05
Modified on 2025-12-05
Description
Improper Neutralization of Escape, Meta, or Control Sequences vulnerability in Apache HTTP Server through environment variables set via the Apache configuration unexpectedly superseding variables calculated by the server for CGI programs.
This issue affects Apache HTTP Server from 2.4.0 through 2.4.65.
Users are recommended to upgrade to version 2.4.66 which fixes the issue.
This issue affects Apache HTTP Server from 2.4.0 through 2.4.65.
Users are recommended to upgrade to version 2.4.66 which fixes the issue.
CVSS v3 Base Score
See breakdown
Affected Packages
| Platform | Package | Release Date | Advisory | Status |
|---|---|---|---|---|
| Amazon Linux 2 - Core | httpd | 2026-01-05 | ALAS2-2025-3099 | Fixed |
| Amazon Linux 2023 | httpd | 2026-01-07 | ALAS2023-2025-1318 | Fixed |
CVSS Scores
| Score Type | Score | Vector | |
|---|---|---|---|
| Amazon Linux | CVSSv3 | 3.7 | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N |