vulnerability
Red Hat: CVE-2025-66200: httpd: Apache HTTP Server: mod_userdir+suexec bypass via AllowOverride FileInfo (Multiple Advisories)
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 6 | (AV:N/AC:L/Au:S/C:N/I:P/A:P) | Dec 5, 2025 | Dec 23, 2025 | Dec 24, 2025 |
Severity
6
CVSS
(AV:N/AC:L/Au:S/C:N/I:P/A:P)
Published
Dec 5, 2025
Added
Dec 23, 2025
Modified
Dec 24, 2025
Description
mod_userdir+suexec bypass via AllowOverride FileInfo vulnerability in Apache HTTP Server. Users with access to use the RequestHeader directive in htaccess can cause some CGI scripts to run under an unexpected userid.
This issue affects Apache HTTP Server: from 2.4.7 through 2.4.65.
Users are recommended to upgrade to version 2.4.66, which fixes the issue.
Solutions
redhat-upgrade-httpdredhat-upgrade-httpd-coreredhat-upgrade-httpd-core-debuginforedhat-upgrade-httpd-debuginforedhat-upgrade-httpd-debugsourceredhat-upgrade-httpd-develredhat-upgrade-httpd-filesystemredhat-upgrade-httpd-manualredhat-upgrade-httpd-toolsredhat-upgrade-httpd-tools-debuginforedhat-upgrade-mod_http2redhat-upgrade-mod_http2-debuginforedhat-upgrade-mod_http2-debugsourceredhat-upgrade-mod_ldapredhat-upgrade-mod_ldap-debuginforedhat-upgrade-mod_luaredhat-upgrade-mod_lua-debuginforedhat-upgrade-mod_mdredhat-upgrade-mod_md-debuginforedhat-upgrade-mod_md-debugsourceredhat-upgrade-mod_proxy_htmlredhat-upgrade-mod_proxy_html-debuginforedhat-upgrade-mod_sessionredhat-upgrade-mod_session-debuginforedhat-upgrade-mod_sslredhat-upgrade-mod_ssl-debuginfo
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.