Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
Apache HTTP Server: Outdated Server Allows Certificate Renewal Overload
OESA-2026-1527
Summary
Apache HTTP Server versions 2.4.30-2.4.66 have a bug that can cause a server to get overwhelmed with repeated certificate renewal attempts, potentially leading to data loss or denial of service. This affects servers that use ACME certificates. To fix this, update to version 2.4.66.
What to do
- Update httpd to version 2.4.58-12.oe2403.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| – | httpd | <= 2.4.58-12.oe2403 | 2.4.58-12.oe2403 |
Original title
httpd security update
Original description
Apache HTTP Server is a powerful and flexible HTTP/1.1 compliant web server.
Security Fix(es):
An integer overflow vulnerability was found in Apache HTTP Server versions 2.4.30 to 2.4.66. In case of failed ACME certificate renewal, after a number of failures (~30 days in default configurations), the backoff timer becomes 0. Certificate renewal attempts are then repeated without delays until successful. This issue affects confidentiality, integrity, and availability.(CVE-2025-55753)
Apache HTTP Server 2.4.65 and earlier with Server Side Includes (SSI) enabled and mod_cgid (but not mod_cgi) passes the shell-escaped query string to #exec cmd="..." directives.
This issue affects Apache HTTP Server before 2.4.66.
Users are recommended to upgrade to version 2.4.66, which fixes the issue.(CVE-2025-58098)
Improper Neutralization of Escape, Meta, or Control Sequences vulnerability in Apache HTTP Server through environment variables set via the Apache configuration unexpectedly superseding variables calculated by the server for CGI programs.
This issue affects Apache HTTP Server from 2.4.0 through 2.4.65.
Users are recommended to upgrade to version 2.4.66 which fixes the issue.(CVE-2025-65082)
mod_userdir+suexec bypass via AllowOverride FileInfo vulnerability in Apache HTTP Server. Users with access to use the RequestHeader directive in htaccess can cause some CGI scripts to run under an unexpected userid.
This issue affects Apache HTTP Server: from 2.4.7 through 2.4.65.
Users are recommended to upgrade to version 2.4.66, which fixes the issue.(CVE-2025-66200)
Security Fix(es):
An integer overflow vulnerability was found in Apache HTTP Server versions 2.4.30 to 2.4.66. In case of failed ACME certificate renewal, after a number of failures (~30 days in default configurations), the backoff timer becomes 0. Certificate renewal attempts are then repeated without delays until successful. This issue affects confidentiality, integrity, and availability.(CVE-2025-55753)
Apache HTTP Server 2.4.65 and earlier with Server Side Includes (SSI) enabled and mod_cgid (but not mod_cgi) passes the shell-escaped query string to #exec cmd="..." directives.
This issue affects Apache HTTP Server before 2.4.66.
Users are recommended to upgrade to version 2.4.66, which fixes the issue.(CVE-2025-58098)
Improper Neutralization of Escape, Meta, or Control Sequences vulnerability in Apache HTTP Server through environment variables set via the Apache configuration unexpectedly superseding variables calculated by the server for CGI programs.
This issue affects Apache HTTP Server from 2.4.0 through 2.4.65.
Users are recommended to upgrade to version 2.4.66 which fixes the issue.(CVE-2025-65082)
mod_userdir+suexec bypass via AllowOverride FileInfo vulnerability in Apache HTTP Server. Users with access to use the RequestHeader directive in htaccess can cause some CGI scripts to run under an unexpected userid.
This issue affects Apache HTTP Server: from 2.4.7 through 2.4.65.
Users are recommended to upgrade to version 2.4.66, which fixes the issue.(CVE-2025-66200)
- https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA... Vendor Advisory
- https://nvd.nist.gov/vuln/detail/CVE-2025-55753 Vendor Advisory
- https://nvd.nist.gov/vuln/detail/CVE-2025-58098 Vendor Advisory
- https://nvd.nist.gov/vuln/detail/CVE-2025-65082 Vendor Advisory
- https://nvd.nist.gov/vuln/detail/CVE-2025-66200 Vendor Advisory
Published: 6 Mar 2026 · Updated: 6 Mar 2026 · First seen: 6 Mar 2026