cPanel, L.L.C. has released an update for EasyApache 4!  Take a look at some highlights below, and then join us on the cPanel Community Forums, Discord, or Reddit to talk about this update and much more. If you have additional questions, feel free to reach out on one of our social channels.

• ea-podman
  • ZC-12610: Add compat layer for ULC function that was removed

• ea-nodejs20
  • EA-12692: Update ea-nodejs20 from v20.18.2 to v20.18.3

• ea-nodejs22
  • EA-12694: Update ea-nodejs22 from v22.13.1 to v22.14.0

• ea-libcurl
  • EA-12678: Update ea-libcurl from v8.11.1 to v8.12.0
  • CVE-2025-0167 / CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
  • CVE-2025-0665 / CWE-1341: Multiple Releases of Same Resource or Handle
  • CVE-2025-0725 / CWE-680: Integer Overflow to Buffer Overflow

• ea-ioncube14
  • EA-12675: Update ea-ioncube14 from v14.0.0 to v14.4.0
  • Full release of PHP 8.4 loaders that will run encoded files produced by the PHP 8.3 & 8.2 Encoders.

• ea-scl-sourceguardian
  • EA-12679: Update ea-scl-sourceguardian from v15.0.2 to v16.0.0

• ea-passenger-src
  • EA-12681: Update ea-passenger-src from v6.0.23 to v6.0.24

• ea-memcached16
  • EA-12685: Update ea-memcached16 from v1.6.34 to v1.6.36

• ea-tomcat101
  • EA-12693: Update ea-tomcat101 from v10.1.34 to v10.1.35
  • Add a check to ensure that, if one or more web applications are potentially vulnerable to CVE-2024-56337, the JVM has been configured to protect against the vulnerability and to configure the JVM correctly if not. Where one or more web applications are potentially vulnerable to CVE-2004-56337 and the JVM cannot be correctly configured or it cannot be confirmed that the JVM has been correctly configured, prevent the impacted web applications from starting.

• ea-nginx
  • EA-12703: Update ea-nginx from v1.26.2 to v1.26.3
  • Security: insufficient check in virtual servers handling with TLSv1.3
    SNI allowed to reuse SSL sessions in a different virtual server, to
    bypass client SSL certificates verification (CVE-2025-23419)

• ea-nginx-echo
  • EA-12703: Build against ea-nginx version v1.26.3

• ea-nginx-headers-more
  • EA-12703: Build against ea-nginx version v1.26.3

• ea-nginx-njs
  • EA-12703: Build against ea-nginx version v1.26.3

• ea-nginx-passenger
  • EA-12703: Build against ea-nginx version v1.26.3

• ea-modsec30-connector-nginx
  • EA-12703: Build against ea-nginx version v1.26.3

SUMMARY

cPanel, L.L.C. has updated packages for EasyApache 4 with updated versions of libcurl, Tomcat 10.1 and NGINX. This release addresses vulnerabilities related to CVE-2025-0167, CVE-2025-0665, CVE-2025-0725, CVE-2024-56337, and CVE-2025-23419. We strongly encourage all libcurl users to update to version 8.12.0, all Tomcat 10.1 users to update to version 10.1.35, and all NGINX users to update to version 1.26.3.

AFFECTED VERSIONS
All versions of libcurl through 8.11.1
All versions of Tomcat 10.1 through 10.1.34
All versions of NGINX through 1.26.2

SECURITY RATING
The National Vulnerability Database (NIST) has given the following severity ratings to these CVEs:

CVE-2025-0167 – MEDIUM
libcurl 8.12.0
Fixed vulnerability related to CVE-2025-0167

CVE-2025-0665 – MEDIUM
libcurl 8.12.0
Fixed vulnerability related to CVE-2025-0665

CVE-2025-0725 – MEDIUM
libcurl 8.12.0
Fixed vulnerability related to CVE-2025-0725

CVE-2024-56337
Tomcat 10.1.35
Fixed vulnerability related to CVE-2024-56337

CVE-2025-23419
NGINX 1.26.3
Fixed vulnerability related to CVE-2025-23419

SOLUTION
cPanel, L.L.C. has released updated packages for EasyApache 4 25.4 on 2025 February 13, with libcurl version 8.12.0, Tomcat version 10.1.35, and NGINX version 1.26.3. Unless you have enabled automatic package updates in your cron, update your system with either your package manager or WHM’s Run System Update interface.

REFERENCES
https://www.cve.org/CVERecord?id=CVE-2025-0167
https://www.cve.org/CVERecord?id=CVE-2025-0665
https://www.cve.org/CVERecord?id=CVE-2025-0725
https://www.cve.org/CVERecord?id=CVE-2024-56337
https://www.cve.org/CVERecord?id=CVE-2025-23419
https://curl.se/ch/8.12.0.html
https://tomcat.apache.org/tomcat-10.1-doc/changelog.html
https://nginx.org/en/CHANGES-1.26

Information about all releases this year can be found in the 2025 EasyApache 4 Changelog.

You can follow our RSS feed for all our releases here: https://docs.cpanel.net/release-notes/release-notes/index.xml

GPG signed copy of this announcement: https://news.cpanel.com/wp-content/uploads/2025/02/EA4-25.5-CVE.signed.txt