Newsroom

EasyApache4 v25.26 Maintenance and Security Release

August 20, 2025

Webpros has released an update for EasyApache 4!  Take a look at some highlights below, and then join us on the cPanel Community Forums, Discord, or Reddit to talk about this update and much more. If you have additional questions, feel free to reach out on one of our social channels.

  • ea-php84
    • EA-13049: Update ea-php84 from v8.4.10 to v8.4.11
  • ea-php84-meta
    • EA-13049: Update ea-php84 from v8.4.10 to v8.4.11
  • ea-memcached16
    • EA-13047: Update ea-memcached16 from v1.6.38 to v1.6.39
  • ea-apr-util
    • EA4-53: Fix Almalinux 10 mysql-devel dependency and patch problems
  • ea-libtidy
    • EA4-52: Address libcurl.so.4 missing on Alma 10
  • ea-cpanel-tools
    • ZC-12937: Remove CentOS 6 from manifest
  • ea-liblsapi
    • EA4-52: Address `libcurl.so.4` missing on Alma 10
    • EA4-52: Update to 1.1-81
  • ea-apache24-mod_lsapi
    • EA4-52: Address `libcurl.so.4` missing on Alma 10
    • EA4-52: Update to 1.1-81
  • ea-apache24-mod_suphp
    • EA4-96: Remove exec_code_asuser
  • ea-apache24-mod_ruid2
    • EA4-97: Adjust exec_code_asuser
  • ea-apache24-mpm_itk
    • EA4-99: Adjust exec_code_asuser
  • ea-tomcat101
    • EA-13066: Update ea-tomcat101 from v10.1.43 to v10.1.44
  • ea-nodejs22
    • EA-13050: Update ea-nodejs22 from v22.17.1 to v22.18.0
  • ea-libcurl
    • EA-13029: Update ea-libcurl from v8.14.1 to v8.15.0
  • ea-nodejs20
    • EA-13026: Update ea-nodejs20 from v20.19.3 to v20.19.4
    • (CVE-2025-27210) Windows Device Names (CON, PRN, AUX) Bypass Path Traversal Protection in path.normalize()
  • ea-apache24-mod_security2
    • EA-13061: Update ea-apache24-mod_security2 from v2.9.11 to v2.9.12
    • fix: Improper error handling CVE 2025-54571
  • ea-profiles-cpanel
    • EA4-104: Add EA4 Profile to support PHP 8.3 in WP Squared

SSUMMARY

WebPros International, LLC has updated packages for EasyApache 4 with updated versions of Node.js 20 and ModSecurity 2. This release addresses vulnerabilities related to CVE-2025-27210 and CVE-2025-54571. We strongly encourage all Node.js 20 users to update to version 20.19.4 and all ModSecurity 2 users to update to version 2.9.12.

AFFECTED VERSIONS

All versions of Node.js 20 through 20.19.3.
All versions of ModSecurity 2 through 2.9.11.

SECURITY RATING
The National Vulnerability Database (NIST) has given the following severity ratings to these CVEs:

CVE-2025-27210 – HIGH
Node.js 20.19.4
Fixed vulnerability related to CVE-2025-27210.

CVE-2025-54571 – MEDIUM
ModSecurity 2.9.12
Fixed vulnerability related to CVE-2025-54571.

SOLUTION
WebPros International, LLC has released updated packages for EasyApache 4 25.26 on 2025 August 20, with Node.js 20 version 20.19.4 and ModSecurity 2 version 2.9.12. Unless you have enabled automatic package updates in your cron, update your system with either your package manager or WHM’s Run System Update interface.

REFERENCES
https://www.cve.org/CVERecord?id=CVE-2025-27210
https://www.cve.org/CVERecord?id=CVE-2025-54571
https://github.com/nodejs/node/releases/tag/v20.19.4
https://github.com/owasp-modsecurity/ModSecurity/releases

Information about all releases this year can be found in the 2025 EasyApache 4 Changelog.

You can follow our RSS feed for all our releases here: https://docs.cpanel.net/release-notes/release-notes/index.xml

GPG signed copy of this announcement: https://news.cpanel.com/wp-content/uploads/2025/08/EA4-25.26-CVE.signed.txt