Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-65082

CVE-2025-65082: Apache HTTP Server XSS Vulnerability

CVE-2025-65082 is an XSS flaw in Apache HTTP Server affecting versions 2.4.0 through 2.4.65. This vulnerability enables attackers to inject malicious scripts through environment variables. Explore technical details and patches.

Published:

CVE-2025-65082 Overview

CVE-2025-65082 is an Improper Neutralization of Escape, Meta, or Control Sequences vulnerability [CWE-150] in Apache HTTP Server. Environment variables set through the Apache configuration can unexpectedly supersede variables calculated by the server for Common Gateway Interface (CGI) programs. This behavior allows configuration-defined values to override server-computed CGI variables, breaking the trust boundary between configuration and request-derived data.

The issue affects Apache HTTP Server versions 2.4.0 through 2.4.65. The Apache Software Foundation released version 2.4.66 to address the issue.

Critical Impact

Attackers leveraging crafted environment variables can influence CGI program execution context, potentially leading to information disclosure and integrity impact on CGI-enabled web servers.

Affected Products

  • Apache HTTP Server 2.4.0 through 2.4.65
  • Deployments using mod_cgi, mod_cgid, or related CGI handlers
  • Server configurations using SetEnv, PassEnv, or SetEnvIf directives with CGI scripts

Discovery Timeline

  • 2025-12-05 - CVE-2025-65082 published to the National Vulnerability Database (NVD)
  • 2025-12-10 - Last updated in NVD database

Technical Details for CVE-2025-65082

Vulnerability Analysis

The vulnerability resides in how Apache HTTP Server constructs the environment block passed to CGI programs. When the server invokes a CGI program, it computes a defined set of environment variables such as REQUEST_METHOD, QUERY_STRING, HTTP_HOST, and SCRIPT_NAME. These values represent request-derived context that CGI programs rely on for security decisions.

In affected versions, environment variables defined through the Apache configuration can supersede these server-calculated variables. This violates the expected precedence model, where server-computed CGI metadata should take priority over administrator-supplied environment values for protected variable names. The flaw is classified under [CWE-150] because it involves improper neutralization of values that act as control data for downstream CGI handlers.

Root Cause

The root cause is missing enforcement of variable precedence in the CGI environment construction logic. Apache merges configuration-defined environment values with server-calculated CGI variables without reserving protected names for the server. As a result, directives such as SetEnv or PassEnv can overwrite values that CGI programs treat as authoritative.

Attack Vector

The vulnerability is exploitable over the network without authentication and without user interaction. An attacker requires a server configuration where attacker-influenced environment values can be set or where misconfiguration causes CGI variables to be overwritten. Successful exploitation results in low-impact confidentiality and integrity consequences for CGI workloads. The vulnerability does not directly enable remote code execution, but it can subvert authorization logic in CGI programs that rely on standard CGI variables.

No public proof-of-concept exploit is currently available, and the issue is not listed in the CISA Known Exploited Vulnerabilities catalog. Refer to the Apache HTTPD Vulnerabilities List for vendor technical details.

Detection Methods for CVE-2025-65082

Indicators of Compromise

  • Unexpected values in CGI script logs for standard variables such as REMOTE_USER, AUTH_TYPE, SCRIPT_NAME, or PATH_INFO
  • Apache configuration files containing SetEnv or PassEnv directives that reference reserved CGI variable names
  • CGI program behavior inconsistencies between request data and reported environment context

Detection Strategies

  • Audit Apache configuration files for SetEnv, SetEnvIf, and PassEnv directives that assign values to known CGI environment variable names
  • Inventory all Apache HTTP Server instances and compare installed versions against the fixed release 2.4.66
  • Review CGI program source code for trust assumptions placed on environment variables that could be overridden by configuration

Monitoring Recommendations

  • Enable verbose CGI logging to capture the environment seen by CGI handlers during request processing
  • Monitor web access logs for anomalous request patterns targeting CGI endpoints under /cgi-bin/ or equivalent paths
  • Track changes to Apache configuration files using file integrity monitoring to identify unauthorized directive additions

How to Mitigate CVE-2025-65082

Immediate Actions Required

  • Upgrade Apache HTTP Server to version 2.4.66 or later on all affected systems
  • Audit all Apache configurations for environment-setting directives applied to CGI-handling virtual hosts or directories
  • Restrict configuration write access to trusted administrators only

Patch Information

The Apache Software Foundation has released Apache HTTP Server 2.4.66, which fixes CVE-2025-65082. Download the patched release from the official Apache HTTP Server distribution channels. Review the Apache HTTPD Vulnerabilities List for the complete vendor advisory and verify package versions through your distribution's security update channel.

Workarounds

  • Remove or comment out SetEnv and PassEnv directives that set environment variables matching CGI-reserved names
  • Disable CGI handlers (mod_cgi, mod_cgid) on virtual hosts that do not require CGI execution
  • Apply strict configuration management to prevent unintended environment variable definitions from reaching CGI program scope
bash
# Verify installed Apache HTTP Server version
httpd -v

# Example: search Apache configuration for risky environment directives
grep -rE "^\s*(SetEnv|PassEnv|SetEnvIf)" /etc/httpd/ /etc/apache2/

# Disable mod_cgi on systems that do not require CGI (Debian/Ubuntu)
a2dismod cgi cgid && systemctl restart apache2

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.