ProHoster > Blog > internet news > Release of Apache 2.4.66 http server with elimination of 5 vulnerabilities

Release of Apache 2.4.66 http server with elimination of 5 vulnerabilities

Apache HTTP Server 2.4.66 has been released, fixing five vulnerabilities and introducing dozens of changes.

Fixed vulnerabilities (the first 2 are of moderate severity, the rest are of low severity):

  • CVE-2025-66200 — Organizing the launch of a CGI script under a different user in configurations with mod_userdir and suexec by manipulating the "RequestHeader" directive in the .htaccess file (if its use is allowed in .htaccess).
  • CVE-2025-59775 — SSRF (Server-Side Request Forgery) vulnerability that leads to NTLM hash leakage to another server when using Apache httpd on the platform Windows in configurations with the "AllowEncodedSlashes On" and "MergeSlashes Off" settings.
  • CVE-2025-65082 - Environment variable override for CGI scripts due to incorrect escape of control characters (setting variables in settings can override the values ​​of variables calculated server for CGI).
  • CVE-2025-58098 - Passing an escaped query string to the SSI (Server Side Includes) directive » in configurations with mod_cgid instead of mod_cgi.
  • CVE-2025-55753 - Sending continuous (without delay between requests) repeated ACME certificate renewal requests in the mod_md module after a large number of failures when attempting to renew an expired certificate.

Non-security improvements include:

  • The mod_md module implementing the ACME protocol has been updated to version 2.6.6:
    • Added support for the ARI (ACME Renewal Information) protocol extension, which allows for retrieving information about certificate renewal needs and selecting the optimal renewal time. The "MDRenewViaARI on|off" directive is proposed for enabling ARI.
    • The "MDInitialDelay" directive has been implemented to set a certificate verification delay after a server restart.
    • The default value of the MDRetryDelay parameter (the delay before retrying after an error) has been increased to 30 seconds.
    • Support has been discontinued VPN- Tailscale networks.
    • Fixed bugs and memory leak.
  • The mod_http2 module has been updated to version 2.0.35, which introduces the "H2MaxStreamErrors" directive for setting a limit on the number of errors in a stream, after which the connection will be closed.
  • Mod_http2 now correctly handles responses with code 3 from mod_cache.
  • In mod_proxy_http2, the "ProxyErrorOverride" directive has been implemented for overriding error codes.
  • The "ListenTCPDeferAccept" directive has been added to mpm_common, which allows you to set the value of the TCP_DEFER_ACCEPT option (activation only when data arrives on the socket) for the listening socket.
  • Added "SSLVHostSNIPolicy" directive to mod_ssl for configuring compatibility rules for virtual hosts.

Source: opennet.ru

Buy reliable hosting for sites with DDoS protection, VPS VDS servers 🔥 Buy reliable website hosting with DDoS protection, VPS VDS servers | ProHoster