CVE-2025-12642

HTTP Header Smuggling via Trailer Merge

CVSS 6.9 MEDIUMEPSS 0.3%CWE-444

Vexday Risk Score

13Low

SSVC decision (CISA)

Track

No exploitation signal → monitor

CVSS 6.9EPSS 0.3%KEV nãoPoC —Nuclei —Metasploit —Patch —

Lifecycle

03 Nov 2025Published on NVD

Recommendation: Monitor — no exploitation signal at the moment.

lighttpd1.4.80 incorrectly merged trailer fields into headers after http request parsing. This behavior can be exploited to conduct HTTP Header Smuggling attacks. Successful exploitation may allow an attacker to: * Bypass access control rules * Inject unsafe input into backend logic that trusts request headers * Execute HTTP Request Smuggling attacks under some conditions This issue affects lighttpd1.4.80

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N

Affected products

lighttpd · lighttpd

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/lighttpd/lighttpd1.4/commit/35cb89c103877de62d6b63d0804255475d77e5e1