Apache HTTP Server 2.4.66 Fixes SSRF Flaw (CVE-2025-59775) Exposing NTLM Hashes on Windows and suexec Bypass
Ddos 
The Apache Software Foundation has rolled out a crucial update for the ubiquitous Apache HTTP Server, addressing five distinct security vulnerabilities. The release of version 2.4.66 serves as a cumulative fix for issues ranging from infinite loops in certificate renewals to potential NTLM credential leaks on Windows systems. While three of the flaws are rated as “low” severity, two “moderate” vulnerabilities pose specific risks for Windows environments and shared hosting configurations utilizing suexec.
One of the headline fixes in this batch is CVE-2025-59775, a Server-Side Request Forgery (SSRF) vulnerability specific to Apache HTTP Server running on Windows. Rated as moderate severity, this flaw involves the interaction between AllowEncodedSlashes On and MergeSlashes Off configurations.
According to the disclosure, this configuration “allows to potentially leak NTLM hashes to a malicious server via SSRF and malicious requests or content”. This could allow attackers to harvest credentials from the server environment, making it a priority patch for Windows-based administrators.
The second moderate-severity flaw, CVE-2025-66200, targets the interaction between mod_userdir and suexec. This vulnerability allows for a bypass via the AllowOverride FileInfo directive. The report notes that “Users with access to use the RequestHeader directive in htaccess can cause some CGI scripts to run under an unexpected userid”. This effectively breaks the intended isolation of the suexec feature, which is critical for security in multi-user environments.
The update also addresses three low-severity issues that, while less critical, could disrupt operations or create unexpected behaviors:
- The Infinite Loop (CVE-2025-55753): A bug in mod_md (ACME) can cause an integer overflow during failed certificate renewals. “Attempts to renew the certificate then are repeated without delays until it succeeds”. This creates a potential resource exhaustion scenario.
- The Query String Glitch (CVE-2025-58098): This affects servers using Server Side Includes (SSI) with mod_cgid. The advisory states that the server “passes the shell-escaped query string to #exec cmd=’…’ directives”.
- Variable Override (CVE-2025-65082): This flaw involves “variables set via the Apache configuration unexpectedly superseding variables calculated by the server for CGI programs”.
Users are recommended to upgrade to version 2.4.66, which fixes the issue
Administrators are advised to apply this update during their next scheduled maintenance window to ensure their web infrastructure remains secure against these identified vectors.
Donate