Recent release of the HTTP server Apache 2.4.66 has been introduced, addressing 5 vulnerabilities and incorporating numerous changes.
The fixed vulnerabilities include:
- CVE-2025-66200 – CGI script launch manipulation through the “RequestHeader” directive in .htaccess.
- CVE-2025-59775 – SSRF vulnerability leading to NTLM hash leak on Windows platform with specific settings.
- CVE-2025-65082 – CGI script environment variable override due to control character escaping.
- CVE-2025-58098 – Passing escaped query string to SSI in mod_cgid configurations.
- CVE-2025-55753 – Continuous ACME certificate renewal requests in mod_md module.
Non-security related improvements include:
- Update to mod_md module version 2.6.6 with ARI protocol extension support and bug fixes.
- Update to mod_http2 module version 2.0.35 with added directives and improved processing.
- Addition of “ListenTCPDeferAccept” directive in mpm_common.
- Introduction of “SSLVHostSNIPolicy” directive in mod_ssl for virtual host configuration.
/Reports, release notes, official announcements.