Server Side Includes Vulnerability in Apache HTTP Server by The Apache Software Foundation
CVE-2025-58098

Currently unrated

Key Information:

Vendor: Apache
Status: Apache Http Server
Vendor: CVE Published:; 5 December 2025

What is CVE-2025-58098?

A security vulnerability exists in Apache HTTP Server versions 2.4.65 and earlier, allowing an attacker to exploit the Server Side Includes (SSI) functionality with the mod_cgid module. This issue arises when the server mishandles the shell-escaped query strings passed to commands executed by the #exec directives. To mitigate this risk, it is critical for users to upgrade their Apache HTTP Server to version 2.4.66 or later, where this issue has been resolved.

Affected Version(s)

Apache HTTP Server 0 < 2.4.66

References

https://httpd.apache.org/security/vulnerabilities_24.html

vendor-advisory

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Dec 5, 2025
Vulnerability Reserved
Aug 22, 2025

Credit

Anthony Parfenov (United Rentals, Inc.)

JSON