CVE-2025-58098

Apache HTTP Server: Server Side Includes adds query string to #exec cmd=...

CVSS 8.3 HIGHEPSS 1.5%CWE-201

In short

Apache HTTP Server with Server Side Includes (SSI) enabled improperly passes user input from the URL query string to shell commands executed via #exec directives, allowing attackers to inject and run arbitrary commands on the server.

Technical detail

CVE-2025-58098 affects Apache HTTP Server versions before 2.4.66 when SSI and mod_cgid are enabled. The vulnerability exists in how query string parameters are shell-escaped and passed to #exec cmd directives, enabling command injection attacks. An attacker can craft malicious query strings to break out of the intended command context and execute arbitrary shell commands with the privileges of the web server process.

Summary generated and translated by AI from the official description.

Apache HTTP Server 2.4.65 and earlier with Server Side Includes (SSI) enabled and mod_cgid (but not mod_cgi) passes the shell-escaped query string to #exec cmd="..." directives. This issue affects Apache HTTP Server before 2.4.66. Users are recommended to upgrade to version 2.4.66, which fixes the issue.

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L

Affected products

Apache Software Foundation · Apache HTTP Server

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://httpd.apache.org/security/vulnerabilities_24.html http://www.openwall.com/lists/oss-security/2025/12/04/5