CVE-2025-58098
BaseFortify
Publication date: 2025-12-05
Last updated on: 2025-12-08
Assigner: Apache Software Foundation
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| apache | http_server | to 2.4.66 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-201 | The code transmits data to another actor, but a portion of the data includes sensitive information that should not be accessible to that actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in Apache HTTP Server versions 2.4.65 and earlier when Server Side Includes (SSI) are enabled along with mod_cgid (but not mod_cgi). The issue is that the server passes the shell-escaped query string to #exec cmd="..." directives, which can lead to unintended command execution.
How can this vulnerability impact me? :
The vulnerability can allow an attacker to execute arbitrary commands on the server via specially crafted query strings in SSI #exec directives, potentially leading to unauthorized access, data compromise, or server control.
What immediate steps should I take to mitigate this vulnerability?
Upgrade Apache HTTP Server to version 2.4.66 or later, as this version fixes the vulnerability related to Server Side Includes (SSI) and mod_cgid passing shell-escaped query strings to #exec cmd directives.