CVE-2025-65082 — Apache HTTP Server: CGI environment variable override

Description

Improper Neutralization of Escape, Meta, or Control Sequences vulnerability in Apache HTTP Server through environment variables set via the Apache configuration unexpectedly superseding variables calculated by the server for CGI programs. This issue affects Apache HTTP Server from 2.4.0 through 2.4.65. Users are recommended to upgrade to version 2.4.66 which fixes the issue.

How to fix CVE-2025-65082

To remediate CVE-2025-65082, upgrade the affected package to a fixed version below.

—upgrade to 2.4.66-r0 or later
—upgrade to 2.4.66 or later
—upgrade to 2.4.66-1~deb11u1 or later

Is CVE-2025-65082 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (3)

from 0, < 2.4.66-r0
>= 2.4.0, < 2.4.66
from 0, < 2.4.66-1~deb11u1

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM6.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

References (5)

ADVISORYsecurity.alpinelinux.org/vuln/CVE-2025-65082
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2025-65082
WEBhttpd.apache.org/security/vulnerabilities_24.html
WEBnvd.nist.gov/vuln/detail/CVE-2025-65082
WEB