CVE-2018-25103
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2018-25103
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2018-25103.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2018-25103
- Downstream
- Published
- 2024-06-17T18:15:12.650Z
- Modified
- 2025-11-20T10:49:59.271527Z
- Severity
-
- 5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVSS Calculator
- Summary
- [none]
- Details
-
There exists use-after-free vulnerabilities in lighttpd <= 1.4.50 request parsing which might read from invalid pointers to memory used in the same request, not from other requests.
- References
-
- https://9443417.fs1.hubspotusercontent-na1.net/hubfs/9443417/Security%20Advisories/2024/AMI-SA-2024002.pdf
- https://www.kb.cert.org/vuls/id/312260
- https://github.com/lighttpd/lighttpd1.4/commit/d161f53de04bc826ce1bdaeb3dce2c72ca50a3f8
- https://github.com/lighttpd/lighttpd1.4/commit/df8e4f95614e476276a55e34da2aa8b00b1148e9
- https://blogvdoo.wordpress.com/2018/11/06/giving-back-securing-open-source-iot-projects/#more-736
- https://www.runzero.com/blog/lighttpd/
Affected packages
Git / github.com/lighttpd/lighttpd1.4
Affected ranges
- Type
- GIT
- Repo
- https://github.com/lighttpd/lighttpd1.4
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixedFixed
Affected versions
lighttpd-1.*
lighttpd-1.3.11
lighttpd-1.3.12
lighttpd-1.3.13
lighttpd-1.3.14
lighttpd-1.3.15
lighttpd-1.3.16
lighttpd-1.4.1
lighttpd-1.4.2
lighttpd-1.4.25
lighttpd-1.4.26
lighttpd-1.4.27
lighttpd-1.4.28
lighttpd-1.4.29
lighttpd-1.4.3
lighttpd-1.4.30
lighttpd-1.4.31
lighttpd-1.4.32
lighttpd-1.4.33
lighttpd-1.4.34
lighttpd-1.4.35
lighttpd-1.4.36
lighttpd-1.4.36--rc1
lighttpd-1.4.37
lighttpd-1.4.38
lighttpd-1.4.39
lighttpd-1.4.4
lighttpd-1.4.40
lighttpd-1.4.41
lighttpd-1.4.42
lighttpd-1.4.43
lighttpd-1.4.44
lighttpd-1.4.45
lighttpd-1.4.46
lighttpd-1.4.47
lighttpd-1.4.48
lighttpd-1.4.49
lighttpd-1.4.5
lighttpd-1.4.6
lighttpd-1.4.7
Database specific
vanir_signatures
[
{
"digest": {
"threshold": 0.9,
"line_hashes": [
"246009349473333614023047990629878126184",
"204367143214497225342545567715357513016",
"295564844293388981181312915944033587449",
"189899803973884612364814741717748161115",
"115051299043930959133182371684246260671",
"151731225488274849014964797005327183953",
"316506911302985549852842593606769908345",
"131717849578051332685159454207601584847",
"14465564875885446660250879385190366042",
"147344715412917341967159941672153693207",
"261132700868379521276670937091578035944",
"62869677652853722364966417283110919434",
"271911161642191057285790971507630950366",
"187525521267276666418818816345361422279",
"148239379363989624651189924280992651619",
"262060769690341946469686030152278625217",
"88222814242384881596564085148518062172",
"113116468545771878739517769305180843284",
"66378793959045032992415855950187724807",
"18390417561985779762068001932409962933",
"236835403693246056554500459813990785594",
"8512656030326554608988583948733707467",
"198287876916796102868389336284597915555",
"87184171799293286529109014535113540374",
"338915026269405791816508404690288702128",
"25238069949692652510731814353211862591",
"203465355310772320516303124005033448593",
"125134071828649013114472632034119510899",
"28616384078005203753751886390927249161",
"307045056303614966910510540730075535946",
"170938519785467886067882470415518820860",
"163508836285916582959162061739341761653",
"134806057608229436438742313089790249595",
"97224520087897506533756810770680120638",
"219587869896038038224987947673181843730",
"118261778764159770871265901734770783181",
"39898007040991967715719042334063462517",
"111857727771216734507405860024361975538",
"118442132250424325521920380203318146748",
"76299610821621269799609492925867909978",
"189037560652621164687510775446502069446",
"115216486835995829218610278306355311523",
"86597735928569425495902886228980888530",
"214231761749614652346827723860898185272",
"228353037382788085377129088099151105391",
"79123115429547849361253552526602949631",
"219451594525769243927823857444486713218",
"332917171192048007246434143317261855372",
"323831840183634838376336691957325852910",
"175064937704203903912802914170333833985",
"47119220901633313646421102760659484056",
"298740960392813188296303240406074399457",
"155479057612620892352595334326615920754",
"212285567173521423268834408543668579738",
"291595000097575603875717693203724237205"
]
},
"source": "https://github.com/lighttpd/lighttpd1.4/commit/df8e4f95614e476276a55e34da2aa8b00b1148e9",
"deprecated": false,
"target": {
"file": "src/request.c"
},
"id": "CVE-2018-25103-156e1352",
"signature_type": "Line",
"signature_version": "v1"
},
{
"digest": {
"threshold": 0.9,
"line_hashes": [
"251419104428642506513878925132615769665",
"107658503189526638487775156688144153740",
"148111985143560013314764364642123109013",
"164278442705083032519547972246199035495",
"189841354512426474495408647400530105338",
"246287297565924739399841748832012230872",
"141640914743367127741346672830812295720",
"243997451393686329416024536776669952700",
"327497186625378233986754629147472774874",
"163757015661311440026234297865801912721",
"202054677114986033339742501907986980837",
"330874628087232810730692099792109562844",
"311208252611442397559032815228654746511",
"39645001135290814000954122764748331607",
"100988980291172329814889118979971177021",
"244786690472804430725134260383322524918",
"160186299274877614151680114010088089409",
"38988790665015417835685565749664112458",
"223156449317656127415954578706734045681",
"160186299274877614151680114010088089409",
"110328764515362703566873801335033067222",
"45276379943680408658578557971317704152",
"133810087396102125449528548690342811691",
"216368499095294677028192449837137462898",
"75334102497205901735653971918310657147",
"160186299274877614151680114010088089409",
"38988790665015417835685565749664112458",
"223156449317656127415954578706734045681",
"219097455896383551781849344984483285075",
"31933626973629210342445841152711128960",
"82168198710473160438929167281735131841",
"158446896987921723071957158074728656491",
"230142805415263255038717694120503945608",
"109244796347332379893918417433374203139",
"127479511771547748483202662154862062748",
"216033807631488883627822031014693402959",
"270378600107417109374722548291316254779",
"202701833550604229564413816542760665001",
"67384462653963801788922786828752361066",
"21158502973842483622426877592214639425",
"333209533432479642197976417520170457423",
"154649062027771839384032334378380358099",
"101310082029172041445198055776359629484"
]
},
"source": "https://github.com/lighttpd/lighttpd1.4/commit/d161f53de04bc826ce1bdaeb3dce2c72ca50a3f8",
"deprecated": false,
"target": {
"file": "src/http-header-glue.c"
},
"id": "CVE-2018-25103-3f5d0072",
"signature_type": "Line",
"signature_version": "v1"
},
{
"digest": {
"threshold": 0.9,
"line_hashes": [
"200247613657499969346083858666223119770",
"121085043153592585019959928074540125862",
"72176461814164674813900888259527721985",
"337102870355667494584185751593931068354",
"79156242311697088538541012648895668635",
"226239212853724876986513899763216884821",
"287185265177931213981007181026058222358",
"252972807828314563289279016330648104503"
]
},
"source": "https://github.com/lighttpd/lighttpd1.4/commit/d161f53de04bc826ce1bdaeb3dce2c72ca50a3f8",
"deprecated": false,
"target": {
"file": "src/base.h"
},
"id": "CVE-2018-25103-43a1eb52",
"signature_type": "Line",
"signature_version": "v1"
},
{
"digest": {
"function_hash": "146130499813709236720775407456275584578",
"length": 14263.0
},
"source": "https://github.com/lighttpd/lighttpd1.4/commit/df8e4f95614e476276a55e34da2aa8b00b1148e9",
"deprecated": false,
"target": {
"file": "src/request.c",
"function": "http_request_parse"
},
"id": "CVE-2018-25103-66415166",
"signature_type": "Function",
"signature_version": "v1"
},
{
"digest": {
"function_hash": "29706367145274578055571171384380664002",
"length": 11760.0
},
"source": "https://github.com/lighttpd/lighttpd1.4/commit/d161f53de04bc826ce1bdaeb3dce2c72ca50a3f8",
"deprecated": false,
"target": {
"file": "src/t/test_request.c",
"function": "test_request_http_request_parse"
},
"id": "CVE-2018-25103-6b75f995",
"signature_type": "Function",
"signature_version": "v1"
},
{
"digest": {
"function_hash": "76245113936378622864694779741242517289",
"length": 3460.0
},
"source": "https://github.com/lighttpd/lighttpd1.4/commit/d161f53de04bc826ce1bdaeb3dce2c72ca50a3f8",
"deprecated": false,
"target": {
"file": "src/http-header-glue.c",
"function": "http_response_parse_range"
},
"id": "CVE-2018-25103-8186e511",
"signature_type": "Function",
"signature_version": "v1"
},
{
"digest": {
"function_hash": "221906203987415132133584530247049485373",
"length": 3116.0
},
"source": "https://github.com/lighttpd/lighttpd1.4/commit/d161f53de04bc826ce1bdaeb3dce2c72ca50a3f8",
"deprecated": false,
"target": {
"file": "src/http-header-glue.c",
"function": "http_response_send_file"
},
"id": "CVE-2018-25103-83834615",
"signature_type": "Function",
"signature_version": "v1"
},
{
"digest": {
"function_hash": "328007060334241126757620599833701877701",
"length": 19929.0
},
"source": "https://github.com/lighttpd/lighttpd1.4/commit/d161f53de04bc826ce1bdaeb3dce2c72ca50a3f8",
"deprecated": false,
"target": {
"file": "src/request.c",
"function": "http_request_parse"
},
"id": "CVE-2018-25103-8c7d1925",
"signature_type": "Function",
"signature_version": "v1"
},
{
"digest": {
"function_hash": "103008511146208820322382114135648299078",
"length": 3567.0
},
"source": "https://github.com/lighttpd/lighttpd1.4/commit/df8e4f95614e476276a55e34da2aa8b00b1148e9",
"deprecated": false,
"target": {
"file": "src/request.c",
"function": "parse_single_header"
},
"id": "CVE-2018-25103-91d5043a",
"signature_type": "Function",
"signature_version": "v1"
},
{
"digest": {
"threshold": 0.9,
"line_hashes": [
"311971734691968895430555204295977136171",
"15463213677373329122338378937004150702",
"38153316448421845205586647894731534933",
"236432753107368975993417802196679370363",
"338927737123467289417414645855208336140",
"234644194591774290101884827044504776603",
"157011037328277293402130836716294070904",
"289781592735138414921659999302089739349",
"276124982124907471228717257817770104919",
"171594515939049573951138926479540520554",
"272123244621778087407732169313628584659",
"294283965581096884510919418587194977337",
"78047940835101195270700255169265585664",
"164789924174319805496850698534553219050",
"331849661840802697303385943466444429924",
"74969359178773229269363299277511078640",
"294615269763147315127635840627739538315",
"324420782635837211685623121963747477602",
"119004712402432048571049510490118956831",
"106773605300392219248823075769290832970",
"226101206725641956418392697000662644099",
"128278406523854211409274585814618471917"
]
},
"source": "https://github.com/lighttpd/lighttpd1.4/commit/d161f53de04bc826ce1bdaeb3dce2c72ca50a3f8",
"deprecated": false,
"target": {
"file": "src/request.c"
},
"id": "CVE-2018-25103-cdfa0169",
"signature_type": "Line",
"signature_version": "v1"
},
{
"digest": {
"function_hash": "75792027933325015571889346342640614378",
"length": 1331.0
},
"source": "https://github.com/lighttpd/lighttpd1.4/commit/d161f53de04bc826ce1bdaeb3dce2c72ca50a3f8",
"deprecated": false,
"target": {
"file": "src/connections.c",
"function": "connection_reset"
},
"id": "CVE-2018-25103-d52c3c67",
"signature_type": "Function",
"signature_version": "v1"
},
{
"digest": {
"threshold": 0.9,
"line_hashes": [
"312420482691617511804764380432116282174",
"288666784513994140313097690398994477412",
"82740078044491109969167001493723272933",
"240555472601177094018999564907929284560"
]
},
"source": "https://github.com/lighttpd/lighttpd1.4/commit/d161f53de04bc826ce1bdaeb3dce2c72ca50a3f8",
"deprecated": false,
"target": {
"file": "src/connections.c"
},
"id": "CVE-2018-25103-d909d053",
"signature_type": "Line",
"signature_version": "v1"
},
{
"digest": {
"function_hash": "313096109300505158287153404755879153085",
"length": 745.0
},
"source": "https://github.com/lighttpd/lighttpd1.4/commit/d161f53de04bc826ce1bdaeb3dce2c72ca50a3f8",
"deprecated": false,
"target": {
"file": "src/t/test_request.c",
"function": "test_request_connection_reset"
},
"id": "CVE-2018-25103-ed56f7ec",
"signature_type": "Function",
"signature_version": "v1"
},
{
"digest": {
"threshold": 0.9,
"line_hashes": [
"61065783542386273751226985912522548663",
"199591936520713475241925356871821241423",
"154503735776718921041640891892690161329",
"35428198664257262347161965006574756695",
"70646320648525484181545971001681919593",
"131880999906443683768121202223126712334",
"212737294047137254940186939900839204115",
"101319272265461638428041169804087354319",
"138376482804546605994640066871959248882",
"14918870188546391539663108946590732124",
"213371392878979281925786413764169078564"
]
},
"source": "https://github.com/lighttpd/lighttpd1.4/commit/d161f53de04bc826ce1bdaeb3dce2c72ca50a3f8",
"deprecated": false,
"target": {
"file": "src/t/test_request.c"
},
"id": "CVE-2018-25103-f68c795b",
"signature_type": "Line",
"signature_version": "v1"
}
]