The Apache Software Foundation has released Apache HTTP Server 2.4.66.

The Apache Software Foundation has released Apache HTTP Server 2.4.66 to address multiple vulnerabilities in the Apache HTTP Server 2.4 series. Affected Systems CVE-2025-55753 Versions prior to Apache HTTP Server 2.4.66, including 2.4.30 CVE-2025-58098 Versions prior to Apache HTTP Server 2.4.66 CVE-2025-59775 Versions from Apache HTTP Server 2.4.0 to 2.4.65 CVE-2025-65082 Versions from Apache HTTP Server 2.4.0 to 2.4.65 CVE-2025-66200 Versions from Apache HTTP Server 2.4.7 to 2.4.65 Details The Apache Software Foundation has released Apache HTTP Server 2.4.66 to address the following multiple vulnerabilities in the Apache HTTP Server 2.4 series. An integer overflow issue when ACME certificate renewal fails repeatedly (CVE-2025-55753) When Server Side Includes (SSI) is enabled and mod_cgid is used, a problem where shell-escaped query strings are passed to the #exec cmd directive (CVE-2025-58098) Server-side request forgery in Apache HTTP Server on Windows (CVE-2025-59775) Environment variables set via Apache configuration unexpectedly overwrite variables computed for CGI programs (CVE-2025-65082) Vulnerability in AllowOverride FileInfo bypasses control by mod_userdir and suexec (CVE-2025-66200) Potential Impact The potential impact varies by vulnerability but may include the following: Service disruption (DoS) due to repeated certificate renewal attempts until successful (CVE-2025-55753) Injection of unintended query strings leading to unauthorized command execution (CVE-2025-58098) NTLM hashes may be leaked to malicious servers when AllowEncodedSlashes is On and MergeSlashes is Off (CVE-2025-59775) Unexpected processing occurs in CGI (CVE-2025-65082) CGI scripts execute with an unexpected user ID (CVE-2025-66200)