Server Side Includes Vulnerability in Apache HTTP Server by The Apache Software Foundation
CVE-2025-58098

8.3HIGH

Key Information:

Vendor: Apache
Status: Apache Http Server
Vendor: CVE Published:; 5 December 2025

What is CVE-2025-58098?

A security vulnerability exists in Apache HTTP Server versions 2.4.65 and earlier, allowing an attacker to exploit the Server Side Includes (SSI) functionality with the mod_cgid module. This issue arises when the server mishandles the shell-escaped query strings passed to commands executed by the #exec directives. To mitigate this risk, it is critical for users to upgrade their Apache HTTP Server to version 2.4.66 or later, where this issue has been resolved.

Affected Version(s)

Apache HTTP Server 0 < 2.4.66

References

https://httpd.apache.org/security/vulnerabilities_24.html

vendor-advisory

CVSS V3.1

Score:

8.3

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Dec 5, 2025
Vulnerability Reserved
Aug 22, 2025

Credit

Anthony Parfenov (United Rentals, Inc.)

JSON