← voltar
CVE-2025-12642

HTTP Header Smuggling via Trailer Merge

CVSS 6.9 MEDIUMEPSS 0.3%CWE-444
Vexday Risk Score
13Baixo
Decisão SSVC (CISA)
Track
Sem sinal de exploração → monitorar
CVSS 6.9EPSS 0.3%KEV nãoPoC Nuclei Metasploit Patch
Ciclo de vida
03 nov 2025Publicada no NVD
Recomendação: Monitorar — sem sinal de exploração no momento.
lighttpd1.4.80 incorrectly merged trailer fields into headers after http request parsing. This behavior can be exploited to conduct HTTP Header Smuggling attacks. Successful exploitation may allow an attacker to: * Bypass access control rules * Inject unsafe input into backend logic that trusts request headers * Execute HTTP Request Smuggling attacks under some conditions This issue affects lighttpd1.4.80
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N
Produtos afetados
lighttpd · lighttpd

Quer saber se a sua infraestrutura está exposta a isto?

Falar com a TrueHacking →
Referências
https://github.com/lighttpd/lighttpd1.4/commit/35cb89c103877de62d6b63d0804255475d77e5e1