Use-After-Free Vulnerability in lighttpd <= 1.4.50
CVE-2018-25103

5.3MEDIUM

Key Information:

Vendor: Lighttpd
Status: Lighttpd
Vendor: CVE Published:; 17 June 2024

What is CVE-2018-25103?

The vulnerability arises from improper memory management in the Lighttpd web server, specifically in the request parsing functionality. It can lead to reading from invalid pointers, potentially exposing sensitive data from within the same request's memory space. This flaw does not affect memory management across different requests, limiting the scope of impact but still representing a significant risk. Users of affected versions should apply the recommended updates to mitigate potential exploitation.

Affected Version(s)

lighttpd * <= 1.4.50

References

https://blogvdoo.wordpress.com/2018/11/06/giving-back-sec...

https://www.runzero.com/blog/lighttpd/

https://github.com/lighttpd/lighttpd1.4/commit/df8e4f9561...

CVSS V3.1

Score:

5.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 17, 2024
Vulnerability Reserved
Jun 17, 2024

Credit

Thanks to VDOO Embedded Security part of JFROG for reporting the vulnerability in the If-Modified-Since header with line folding, and thanks to Marcus Wengelin for reporting the vulnerability in the Range header with a specially crafted pair of Range headers.