CVE-2025-12642

Summary

lighttpd1.4.80 incorrectly merged trailer fields into headers after http request parsing. This behavior can be exploited to conduct HTTP Header Smuggling attacks.

Successful exploitation may allow an attacker to:

  • Bypass access control rules
  • Inject unsafe input into backend logic that trusts request headers
  • Execute HTTP Request Smuggling attacks under some conditions

This issue affects lighttpd1.4.80

Affected Software

VendorProductVersion RangeStatus
lighttpdlighttpd1.4.80 < 1.4.81affected

Weaknesses

  • CWE-444: CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: partial

References