← volver
CVE-2025-12642

HTTP Header Smuggling via Trailer Merge

CVSS 6.9 MEDIUMEPSS 0.3%CWE-444
Vexday Risk Score
13Bajo
Decisión SSVC (CISA)
Track
Sin señal de explotación → monitorear
CVSS 6.9EPSS 0.3%KEV nãoPoC Nuclei Metasploit Patch
Ciclo de vida
03 nov 2025Publicada en NVD
Recomendación: Monitorear — sin señal de explotación por ahora.
lighttpd1.4.80 incorrectly merged trailer fields into headers after http request parsing. This behavior can be exploited to conduct HTTP Header Smuggling attacks. Successful exploitation may allow an attacker to: * Bypass access control rules * Inject unsafe input into backend logic that trusts request headers * Execute HTTP Request Smuggling attacks under some conditions This issue affects lighttpd1.4.80
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N
Productos afectados
lighttpd · lighttpd

¿Quieres saber si tu infraestructura está expuesta a esto?

Hablar con TrueHacking →
Referencias
https://github.com/lighttpd/lighttpd1.4/commit/35cb89c103877de62d6b63d0804255475d77e5e1