Vulnerability Database

300,830

Total vulnerabilities in the database

CVE-2025-12642

lighttpd1.4.80 incorrectly merged trailer fields into headers after http request parsing. This behavior can be exploited to conduct HTTP Header Smuggling attacks.

Successful exploitation may allow an attacker to:

Bypass access control rules
Inject unsafe input into backend logic that trusts request headers
Execute HTTP Request Smuggling attacks under some conditions

This issue affects lighttpd1.4.80

Published: Nov 3, 2025
Updated: Nov 13, 2025
CVE: CVE-2025-12642
Severity: Critical
Exploit:

CVSS v3:

Severity: Critical
Score: 9.1
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

CWEs:

CWE-444

Affected Software
References

Software	From	Fixed in
lighttpd / lighttpd	1.4.80	1.4.80.x

https://github.com/lighttpd/lighttpd1.4/commit/35cb89c103877de62d6b63d0804255475d77e5e1

Deep Security Visibility Without the Complexity

SynScan provides clear, real-time security insights so you can monitor your attack surface, spot risks early, and act fast—without extra complexity.

No setup fees
5-min deployment
Cancel anytime

Book a Demo