HTTP Header Smuggling Vulnerability in lighttpd by Lighttpd Project
CVE-2025-12642

6.9MEDIUM

Key Information:

Vendor: Lighttpd
Status: Lighttpd
Vendor: CVE Published:; 3 November 2025

What is CVE-2025-12642?

A flaw in lighttpd version 1.4.80 allows improper handling of trailer fields that can be merged into HTTP headers post-request parsing. This vulnerability can be exploited by attackers to bypass access control mechanisms, inject unauthorized input into backend systems that rely on request header information, and execute HTTP Request Smuggling attacks under specific scenarios. Organizations using this version of lighttpd should assess their exposure to this issue and apply necessary mitigations.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

lighttpd 1.4.80 < 1.4.81

References

https://github.com/lighttpd/lighttpd1.4/commit/35cb89c103...

CVSS V4

Score:

6.9

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Timeline

Vulnerability published
Nov 3, 2025
Vulnerability Reserved
Nov 3, 2025

Credit

Sebastiano Sartor <@sebsrt>

JSON

Lighttpd

What is CVE-2025-12642?

Human OS v1.0: Ageing Is an Unpatched Zero-Day Vulnerability.

Affected Version(s)

References

CVSS V4

Timeline

Credit

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.