CVE-2025-12642 — CRITICAL (9.1)

Vulnerability Description

lighttpd1.4.80 incorrectly merged trailer fields into headers after http request parsing. This behavior can be exploited to conduct HTTP Header Smuggling attacks. Successful exploitation may allow an attacker to: * Bypass access control rules * Inject unsafe input into backend logic that trusts request headers * Execute HTTP Request Smuggling attacks under some conditions This issue affects lighttpd1.4.80

CVSS Score

9.1

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

NONE

Affected Products

Vendor	Product	Versions
Lighttpd	Lighttpd	1.4.80

Related Weaknesses (CWE)

CWE-444

References

https://github.com/lighttpd/lighttpd1.4/commit/35cb89c103877de62d6b63d0804255475Patch

FAQ

What is CVE-2025-12642?

CVE-2025-12642 is a vulnerability with a CVSS score of 9.1 (CRITICAL). lighttpd1.4.80 incorrectly merged trailer fields into headers after http request parsing. This behavior can be exploited to conduct HTTP Header Smuggling attacks. Successful exploitation may allow an...

How severe is CVE-2025-12642?

CVE-2025-12642 has been rated CRITICAL with a CVSS base score of 9.1/10. This is considered a critical vulnerability requiring immediate attention.

Is there a patch for CVE-2025-12642?

Check the references section above for vendor advisories and patch information. Affected products include: Lighttpd Lighttpd.