CVE-2025-66200 — MEDIUM (5.4)

Q: How severe is CVE-2025-66200?

CVE-2025-66200 has been rated MEDIUM with a CVSS base score of 5.4/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2025-66200?

Check the references section above for vendor advisories and patch information. Affected products include: Apache Http Server.

Vulnerability Description

mod_userdir+suexec bypass via AllowOverride FileInfo vulnerability in Apache HTTP Server. Users with access to use the RequestHeader directive in htaccess can cause some CGI scripts to run under an unexpected userid. This issue affects Apache HTTP Server: from 2.4.7 through 2.4.65. Users are recommended to upgrade to version 2.4.66, which fixes the issue.

CVSS Score

5.4

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

NONE

Integrity

LOW

Availability

LOW

Affected Products

Vendor	Product	Versions
Apache	Http Server	>= 2.4.7, < 2.4.66

Related Weaknesses (CWE)

CWE-288

References

https://httpd.apache.org/security/vulnerabilities_24.htmlVendor Advisory
http://www.openwall.com/lists/oss-security/2025/12/04/8Issue TrackingThird Party Advisory

FAQ

What is CVE-2025-66200?

CVE-2025-66200 is a vulnerability with a CVSS score of 5.4 (MEDIUM). mod_userdir+suexec bypass via AllowOverride FileInfo vulnerability in Apache HTTP Server. Users with access to use the RequestHeader directive in htaccess can cause some CGI scripts to run under an un...

How severe is CVE-2025-66200?

CVE-2025-66200 has been rated MEDIUM with a CVSS base score of 5.4/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2025-66200?

Check the references section above for vendor advisories and patch information. Affected products include: Apache Http Server.