Server Side Includes Vulnerability in Apache HTTP Server by The Apache Software Foundation
CVE-2025-58098

8.3HIGH

Key Information:

Vendor: Apache
Status: Apache Http Server
Vendor: CVE Published:; 5 December 2025

Badges

👾 Exploit Exists🟡 Public PoC

What is CVE-2025-58098?

A security vulnerability exists in Apache HTTP Server versions 2.4.65 and earlier, allowing an attacker to exploit the Server Side Includes (SSI) functionality with the mod_cgid module. This issue arises when the server mishandles the shell-escaped query strings passed to commands executed by the #exec directives. To mitigate this risk, it is critical for users to upgrade their Apache HTTP Server to version 2.4.66 or later, where this issue has been resolved.

Affected Version(s)

Apache HTTP Server 0 < 2.4.66

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2025-58098
Created by dhmosfunk

References

https://httpd.apache.org/security/vulnerabilities_24.html

vendor-advisory

CVSS V3.1

Score:

8.3

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

🟡
Public PoC available
Jan 12, 2026
👾
Exploit known to exist
Jan 12, 2026
Vulnerability published
Dec 5, 2025
Vulnerability Reserved
Aug 22, 2025

Credit

Anthony Parfenov (United Rentals, Inc.)

JSON