CVE-2022-30780 — Incorrect Calculation in Lighttpd

CWE-682 — Incorrect Calculation CWE-400 — Uncontrolled Resource Consumption6 documents6 sources

Severity

7.5HIGHNVD

EPSS

81.8%

top 0.80%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Lighttpd Debian Lighttpd

Timeline

PublishedJun 11

Latest updateOct 12

Description

Lighttpd 1.4.56 through 1.4.58 allows a remote attacker to cause a denial of service (CPU consumption from stuck connections) because connection_read_header_more in connections.c has a typo that disrupts use of multiple read operations on large headers.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages3 packages

▶debiandebian/lighttpd< lighttpd 1.4.59-1 (bookworm)

▶Debianlighttpd/lighttpd< 1.4.59-1+3

▶NVDlighttpd/lighttpd1.4.56, 1.4.57, 1.4.58+2

Patches

Patch: redmine.lighttpd.net ↗Patch: redmine.lighttpd.net ↗

🔴Vulnerability Details

GHSA

GHSA-43hv-3rv7-ch5p: Lighttpd 1↗2022-06-12

▶

OSV

CVE-2022-30780: Lighttpd 1↗2022-06-11

▶

CVEList

CVE-2022-30780: Lighttpd 1↗2022-06-11

▶

📋Vendor Advisories

Debian

CVE-2022-30780: lighttpd - Lighttpd 1.4.56 through 1.4.58 allows a remote attacker to cause a denial of ser...↗2022

▶

📄Research Papers

arXiv

LineBreaker: Finding Token-Inconsistency Bugs with Large Language Models↗2025-10-12

▶