CVE-2025-12642
BaseFortify
Publication date: 2025-11-03
Last updated on: 2025-11-12
Assigner: Toreon
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| lighttpd | lighttpd | 1.4.80 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-444 | The product acts as an intermediary HTTP agent (such as a proxy or firewall) in the data flow between two entities such as a client and server, but it does not interpret malformed HTTP requests or responses in ways that are consistent with how the messages will be processed by those entities that are at the ultimate destination. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in lighttpd 1.4.80 occurs because the software incorrectly merges HTTP trailer fields into headers after parsing an HTTP request. This flaw can be exploited to perform HTTP Header Smuggling attacks, where an attacker manipulates HTTP headers to bypass security controls or inject malicious input.
How can this vulnerability impact me? :
Exploiting this vulnerability may allow an attacker to bypass access control rules, inject unsafe input into backend logic that trusts request headers, and execute HTTP Request Smuggling attacks under certain conditions. This can lead to unauthorized access, data manipulation, or other security breaches.