CVE-2025-65082

NameCVE-2025-65082
DescriptionImproper Neutralization of Escape, Meta, or Control Sequences vulnerability in Apache HTTP Server through environment variables set via the Apache configuration unexpectedly superseding variables calculated by the server for CGI programs. This issue affects Apache HTTP Server from 2.4.0 through 2.4.65. Users are recommended to upgrade to version 2.4.66 which fixes the issue.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1121926

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
apache2 (PTS)bullseye2.4.62-1~deb11u1vulnerable
bullseye (security)2.4.65-1~deb11u1vulnerable
bookworm2.4.65-1~deb12u1vulnerable
bookworm (security)2.4.62-1~deb12u2vulnerable
trixie2.4.65-2vulnerable
forky2.4.65-3vulnerable
sid2.4.66-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
apache2source(unstable)2.4.66-11121926

Notes

[trixie] - apache2 <no-dsa> (Minor issue)
[bookworm] - apache2 <no-dsa> (Minor issue)
[bullseye] - apache2 <postponed> (Minor issue)
https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2025-65082
https://github.com/apache/httpd/commit/e4f00c5eb71d8a7aa1f52b5279832986f669d463
Search for package or bug name: Reporting problems