CVE-2025-66200

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2025-66200

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-66200.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2025-66200

Aliases

BIT-apache-2025-66200

Downstream

ALPINE-CVE-2025-66200

BELL-CVE-2025-66200

DEBIAN-CVE-2025-66200

MINI-r99p-x6v3-772r

UBUNTU-CVE-2025-66200

Related

MGASA-2025-0322

Published

2025-12-05T11:15:52.747Z

Modified

2025-12-12T21:54:21.791311Z

Severity

5.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L CVSS Calculator

Summary

[none]

Details

mod_userdir+suexec bypass via AllowOverride FileInfo vulnerability in Apache HTTP Server. Users with access to use the RequestHeader directive in htaccess can cause some CGI scripts to run under an unexpected userid.

This issue affects Apache HTTP Server: from 2.4.7 through 2.4.65.

Users are recommended to upgrade to version 2.4.66, which fixes the issue.

References

Affected packages

Git / github.com/apache/httpd

Affected ranges

Type: GIT
Repo: https://github.com/apache/httpd
Events: Introduced

f2b561181dbd0c689fd583c60878ce05854ec5f9

Fixed

e4a77ef6051b3fe22eafacbcf54855b178a0bddd