CVE-2025-12642
CRITICALDescription
lighttpd1.4.80 incorrectly merged trailer fields into headers after http request parsing. This behavior can be exploited to conduct HTTP Header Smuggling attacks. Successful exploitation may allow an attacker to: * Bypass access control rules * Inject unsafe input into backend logic that trusts request headers * Execute HTTP Request Smuggling attacks under some conditions This issue affects lighttpd1.4.80
CVSS v3.1 Score
Weakness Type (CWE)
Affected Products
| Vendor | Product |
|---|---|
| lighttpd | lighttpd |
References
Frequently Asked Questions
What is CVE-2025-12642? +
How severe is CVE-2025-12642? +
What products are affected by CVE-2025-12642? +
How do I check if I'm vulnerable to CVE-2025-12642? +
Related Vulnerabilities
Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') vulnerability in ithewei libhv allows HTTP Response Smuggling.This issue affects libhv: through …
HTTP request desynchronization in Ping Identity PingAccess, all versions prior to 8.0.1 affected allows an attacker to send specially crafted …
This vulnerability allows a high-privileged authenticated PAM user to achieve remote command execution on the affected PAM system by sending …
An HTTP Request Smuggling [CWE-444] vulnerability in the Authentication portal of WatchGuard Fireware OS allows a remote attacker to evade …
Connection desynchronization between an HTTP proxy and the model backend. The fixes were rolled out for all proxies in front …
Member Login Script 3.3 contains a client-side desynchronization vulnerability that allows attackers to manipulate HTTP request handling by exploiting Content-Length …