5.4

CVE-2025-66200

EPSS 0.04%
Veröffentlicht 05.12.2025 11:02:25
Zuletzt bearbeitet 10.12.2025 16:39:43
Quelle security@apache.org
CVE-Watchlists
Login
Unerledigt
Login

mod_userdir+suexec bypass via AllowOverride FileInfo vulnerability in Apache HTTP Server. Users with access to use the RequestHeader directive in htaccess can cause some CGI scripts to run under an unexpected userid.

This issue affects Apache HTTP Server: from 2.4.7 through 2.4.65.

Users are recommended to upgrade to version 2.4.66, which fixes the issue.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 5

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

Diese Information steht angemeldeten Benutzern zur Verfügung.

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Apache ≫ HTTP Server Version >= 2.4.7 < 2.4.66

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.04%	0.1

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
134c704f-9b21-4f2e-91b3-4a467353bcc0	5.4	2.8	2.5	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L

CWE-288 Authentication Bypass Using an Alternate Path or Channel

The product requires authentication, but the product has an alternate path or channel that does not require authentication.

https://httpd.apache.org/security/vulnerabilities_24.html

Vendor Advisory

http://www.openwall.com/lists/oss-security/2025/12/04/8

Third Party Advisory

Issue Tracking

https://nvd.nist.gov/vuln/detail/CVE-2025-66200

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-66200

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-66200

EUVD