From: Eric Covener <[email protected]> Reply-To: <[email protected]>
Severity: low Affected versions: - Apache HTTP Server 2.4.0 through 2.4.65 Description: Improper Neutralization of Escape, Meta, or Control Sequences vulnerability in Apache HTTP Server through environment variables set via the Apache configuration unexpectedly superseding variables calculated by the server for CGI programs. This issue affects Apache HTTP Server from 2.4.0 through 2.4.65. Users are recommended to upgrade to version 2.4.66 which fixes the issue. Credit: Mattias Åsander (Umeå University) (finder) References: https://httpd.apache.org/security/vulnerabilities_24.html` https://httpd.apache.org/ https://www.cve.org/CVERecord?id=CVE-2025-65082 Timeline: 2025-11-14: reported 2025-12-01: fixed in 2.4.x by r1930167 --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
