CVE-2025-65082
MediumVulnerability Description
Improper Neutralization of Escape, Meta, or Control Sequences vulnerability in Apache HTTP Server through environment variables set via the Apache configuration unexpectedly superseding variables calculated by the server for CGI programs.
This issue affects Apache HTTP Server from 2.4.0 through 2.4.65.
Users are recommended to upgrade to version 2.4.66 which fixes the issue.
CVSS Metrics
Common Vulnerability Scoring System
Vector String:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
CPUAPR2026
Oracle Critical Patch Update Advisory - April 2026
USN-7968-2
USN-7968-2: Apache HTTP Server regression
CPUJAN2026
Oracle Critical Patch Update Advisory - January 2026
USN-7968-1
USN-7968-1: Apache HTTP Server vulnerabilities
CVE-2025-65082
CVE-2025-65082
Severity Details
Weakness Type (CWE)
Improper Neutralization of Escape, Meta, or Control Sequences
- Description
- The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as escape, meta, or control character sequences when they are sent to a downstream component.
- Typical Severity
- Medium
- Abstraction Level
- Variant
Key Information
- Published Date
- December 05, 2025
