SB2025120441 - Multiple vulnerabilities in Apache HTTP Server

Description

This security bulletin contains information about 5 secuirty vulnerabilities.

1) Input validation error (CVE-ID: CVE-2025-66200)

The vulnerability allows a local user to bypass implemented security restrictions.

The vulnerability exists due to insufficient validation of user-supplied input when parsing the RequestHeader directive in .htaccess files. A local user can bypass mod_userdir+suexec security measures via AllowOverride FileInfo and run certain CGI scripts under an unexpected userid.

2) Code injection (CVE-ID: CVE-2025-65082)

The vulnerability allows a local user to affect web server behavior. 

The vulnerability exists due to improper input validation when handling environment variables set via the Apache configuration. A local user can set specially crafted values that supersede variables calculated by the server for CGI programs.

3) Server-Side Request Forgery (SSRF) (CVE-ID: CVE-2025-59775)

The disclosed vulnerability allows a remote attacker to perform SSRF attacks.

The vulnerability exists due to insufficient validation of user-supplied input when AllowEncodedSlashes is "On" and MergeSlashes is "Off". A remote attacker can send a specially crafted HTTP request and force the web server into leaking NTLM hashes. 

Note, the vulnerability affects Windows installations only. 

4) Improper Neutralization of Server-Side Includes (SSI) Within a Web Page (CVE-ID: CVE-2025-58098)

The vulnerability allows a remote attacker to execute arbitrary commands.

The vulnerability exists due to insufficient input validation with Server Side Includes (SSI) enabled and mod_cgid (but not mod_cgi). The web server passes the shell-escaped query string to #exec cmd="..." directives. A remote attacker can send a specially crafted HTTP request to the server and potentially execute arbitrary code.

5) Integer overflow (CVE-ID: CVE-2025-55753)

The vulnerability allows a remote attacker to perform a denial of service attack.

The vulnerability exists due to an integer overflow in mod_md (ACME) in the case of failed ACME certificate renewal. The web server will set the backoff timer becoming 0 after a number of failures (~30 days in default configurations), leading to a denial of service condition.

Remediation

Install update from vendor's website.

References

• https://downloads.apache.org/httpd/CHANGES_2.4#2.4.66
• https://httpd.apache.org/security/vulnerabilities_24.html
• https://lists.apache.org/thread/qsqgjfh3opl1zyqvky8wxpdhctkgc0s5
• https://lists.apache.org/thread/w3no61r33ys2vytk2whkfy3owjtdw25c
• https://lists.apache.org/thread/4xbrxoylw1d6ymj9ptbqdhhtv629jddt
• https://lists.apache.org/thread/6q07f57b8cjzt051rk2v4nqokm8rgm42
• https://lists.apache.org/thread/1vygt5ztr7vqgtv9zclnln7mbwng6xzs