HTTP Header Smuggling Vulnerability in lighttpd by Lighttpd Project
CVE-2025-12642

6.9MEDIUM

Key Information:

Vendor: Lighttpd
Status: Lighttpd
Vendor: CVE Published:; 3 November 2025

What is CVE-2025-12642?

A flaw in lighttpd version 1.4.80 allows improper handling of trailer fields that can be merged into HTTP headers post-request parsing. This vulnerability can be exploited by attackers to bypass access control mechanisms, inject unauthorized input into backend systems that rely on request header information, and execute HTTP Request Smuggling attacks under specific scenarios. Organizations using this version of lighttpd should assess their exposure to this issue and apply necessary mitigations.

Affected Version(s)

lighttpd 1.4.80 < 1.4.81

References

https://github.com/lighttpd/lighttpd1.4/commit/35cb89c103...

CVSS V4

Score:

6.9

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Nov 3, 2025
Vulnerability Reserved
Nov 3, 2025

Credit

Sebastiano Sartor <@sebsrt>

JSON