CVE-2025-12642

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2025-12642

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-12642.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2025-12642

Downstream

UBUNTU-CVE-2025-12642

Published

2025-11-03T20:17:06.410Z

Modified

2025-11-20T12:32:41.035976Z

Severity

9.1 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N CVSS Calculator

Summary

[none]

Details

lighttpd1.4.80 incorrectly merged trailer fields into headers after http request parsing. This behavior can be exploited to conduct HTTP Header Smuggling attacks.

Successful exploitation may allow an attacker to:

Bypass access control rules
Inject unsafe input into backend logic that trusts request headers
Execute HTTP Request Smuggling attacks under some conditions

This issue affects lighttpd1.4.80

References

https://github.com/lighttpd/lighttpd1.4/commit/35cb89c103877de62d6b63d0804255475d77e5e1

Affected packages

Git / github.com/lighttpd/lighttpd1.4

Affected ranges

Type: GIT
Repo: https://github.com/lighttpd/lighttpd1.4
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

35cb89c103877de62d6b63d0804255475d77e5e1

Affected versions

lighttpd-1.*

lighttpd-1.3.11

lighttpd-1.3.12

lighttpd-1.3.13

lighttpd-1.3.14

lighttpd-1.3.15

lighttpd-1.3.16

lighttpd-1.4.1

lighttpd-1.4.2

lighttpd-1.4.25

lighttpd-1.4.26

lighttpd-1.4.27

lighttpd-1.4.28

lighttpd-1.4.29

lighttpd-1.4.3

lighttpd-1.4.30

lighttpd-1.4.31

lighttpd-1.4.32

lighttpd-1.4.33

lighttpd-1.4.34

lighttpd-1.4.35

lighttpd-1.4.36

lighttpd-1.4.36--rc1

lighttpd-1.4.37

lighttpd-1.4.38

lighttpd-1.4.39

lighttpd-1.4.4

lighttpd-1.4.40

lighttpd-1.4.41

lighttpd-1.4.42

lighttpd-1.4.43

lighttpd-1.4.44

lighttpd-1.4.45

lighttpd-1.4.46

lighttpd-1.4.47

lighttpd-1.4.48

lighttpd-1.4.49

lighttpd-1.4.5

lighttpd-1.4.50

lighttpd-1.4.51

lighttpd-1.4.52

lighttpd-1.4.53

lighttpd-1.4.54

lighttpd-1.4.55

lighttpd-1.4.56

lighttpd-1.4.56-rc1

lighttpd-1.4.56-rc2

lighttpd-1.4.56-rc3

lighttpd-1.4.56-rc4

lighttpd-1.4.56-rc5

lighttpd-1.4.56-rc6

lighttpd-1.4.56-rc7

lighttpd-1.4.57

lighttpd-1.4.58

lighttpd-1.4.59

lighttpd-1.4.6

lighttpd-1.4.60

lighttpd-1.4.61

lighttpd-1.4.62

lighttpd-1.4.63

lighttpd-1.4.64

lighttpd-1.4.65

lighttpd-1.4.66

lighttpd-1.4.67

lighttpd-1.4.68

lighttpd-1.4.69

lighttpd-1.4.7

lighttpd-1.4.70

lighttpd-1.4.71

lighttpd-1.4.72

lighttpd-1.4.73

lighttpd-1.4.74

lighttpd-1.4.75

lighttpd-1.4.76

lighttpd-1.4.77

lighttpd-1.4.78

lighttpd-1.4.79

lighttpd-1.4.80

Database specific

vanir_signatures

[
    {
        "target": {
            "file": "src/request.c"
        },
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "177279775846748800587473156359973412692",
                "234107947651447384615462498936120486077",
                "302025777481488930004506134913590170429",
                "53861381006875801283685841489596921050"
            ]
        },
        "signature_version": "v1",
        "id": "CVE-2025-12642-473a78bc",
        "source": "https://github.com/lighttpd/lighttpd1.4/commit/35cb89c103877de62d6b63d0804255475d77e5e1",
        "deprecated": false,
        "signature_type": "Line"
    }
]