CVE-2025-66200
Apache HTTP Server: mod_userdir+suexec bypass via AllowOverride FileInfo
5.4
MEDIUM
CVSS 3.1
EPSS 0.04%
Description
mod_userdir+suexec bypass via AllowOverride FileInfo vulnerability in Apache HTTP Server. Users with access to use the RequestHeader directive in htaccess can cause some CGI scripts to run under an unexpected userid. This issue affects Apache HTTP Server: from 2.4.7 through 2.4.65. Users are recommended to upgrade to version 2.4.66, which fixes the issue.
How to fix CVE-2025-66200
To remediate CVE-2025-66200, upgrade the affected package to a fixed version below.
- —upgrade to 2.4.66-r0 or later
- —upgrade to 2.4.66 or later
- —upgrade to 2.4.66-1~deb11u1 or later
Is CVE-2025-66200 being exploited?
Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.
Affected packages (3)
- from 0, < 2.4.66-r0
- >= 2.4.7, < 2.4.66
- from 0, < 2.4.66-1~deb11u1
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L |