Apache HTTP Server Update Fixes Critical Security Vulnerabilities

The Apache Software Foundation has released a significant update for its popular Apache HTTP Server , addressing a total of five separate security vulnerabilities. Administrators are recommended to apply this update as soon as possible to ensure their web infrastructure is protected against the identified vectors.

The newly released version 2.4.66 represents a comprehensive fix for issues including both infinite loops during certificate renewal and possible NTLM credential leaks on Windows operating systems.

Two of the identified vulnerabilities, rated “moderate,” pose specific risks to shared hosting configurations using suexec and Windows environments, while the remaining three are labeled “low” severity.

Among the most significant fixes in this update is CVE-2025-59775, a server-side request forgery ( SSRF ) vulnerability affecting Apache HTTP Server running on Windows. This vulnerability, rated moderate in severity, occurs due to the interaction between the AllowEncodedSlashes On and MergeSlashes Off settings.

According to the release note, this configuration “potentially allows NTLM hashes to be leaked to a malicious server via SSRF and malicious requests or content.” This could allow attackers to harvest credentials from the server environment, making this a priority patch for Windows administrators.

The second moderate-severity flaw, CVE-2025-66200, involves the interaction between mod_userdir and suexec . This vulnerability allows a workaround via the AllowOverride FileInfo directive. The report notes that “users with access to the RequestHeader directive in htaccess can cause certain CGI scripts to run with an unexpected user ID.” This effectively breaks the intended isolation of the suexec functionality, which is critical for security in multi-user environments.

The update resolves three additional minor issues that, while less critical, could disrupt operations or create unexpected behavior:

• Infinite Loop (CVE-2025-55753): A bug in mod_md (ACME) can cause an overflow during failed certificate renewals. This creates a potential resource exhaustion scenario.
• Query String Issue (CVE-2025-58098): Affects servers using Server Side Includes (SSI) with mod_cgid. The warning states that the server “passes the shell-escaped query string to the #exec cmd=’…’ directives.”
• Variable Override (CVE-2025-65082): This flaw affects “variables set via Apache configuration that unexpectedly override server-calculated variables for CGI programs.”

Users are advised to update to version 2.4.66 , which fixes the issue.

Follow us on Google News to receive daily updates on cybersecurity. Contact us if you would like to report news, insights or content for publication.

Redazione

The Red Hot Cyber Editorial Team provides daily updates on bugs, data breaches, and global threats. Every piece of content is validated by our community of experts, including Pietro Melillo, Massimiliano Brolli, Sandro Sana, Olivia Terragni, and Stefano Gazzella. Through synergy with our industry-leading partners—such as Accenture, CrowdStrike, Trend Micro, and Fortinet—we transform technical complexity into collective awareness. We ensure information accuracy by analyzing primary sources and maintaining a rigorous technical peer-review process.