CVE-2025-12642HTTP Request Smuggling in Lighttpd

CWE-444HTTP Request Smuggling4 documents4 sources
Severity
6.9MEDIUMNVD
EPSS
0.1%
top 80.09%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
LighttpdDebian Lighttpd
Timeline
PublishedNov 3

Description

lighttpd1.4.80 incorrectly merged trailer fields into headers after http request parsing. This behavior can be exploited to conduct HTTP Header Smuggling attacks. Successful exploitation may allow an attacker to: * Bypass access control rules * Inject unsafe input into backend logic that trusts request headers * Execute HTTP Request Smuggling attacks under some conditions This issue affects lighttpd1.4.80

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N

Affected Packages3 packages

CVEListV5lighttpd/lighttpd1.4.801.4.81
NVDlighttpd/lighttpd1.4.80

Patches

Patch: github.com

🔴Vulnerability Details

2
GHSA
GHSA-fvx8-q97q-cw73: lighttpd12025-11-03
OSV
CVE-2025-12642: lighttpd12025-11-03

📋Vendor Advisories

1
Debian
CVE-2025-12642: lighttpd - lighttpd1.4.80 incorrectly merged trailer fields into headers after http request...2025