CVE-2025-12642

HTTP Header Smuggling via Trailer Merge

Description

lighttpd1.4.80 incorrectly merged trailer fields into headers after http request parsing. This behavior can be exploited to conduct HTTP Header Smuggling attacks. Successful exploitation may allow an attacker to: * Bypass access control rules * Inject unsafe input into backend logic that trusts request headers * Execute HTTP Request Smuggling attacks under some conditions This issue affects lighttpd1.4.80

INFO

Published Date :

2025-11-03T19:36:17.011Z

Last Modified :

2025-11-03T19:44:09.174Z

Source :

Toreon

AFFECTED PRODUCTS

The following products are affected by CVE-2025-12642 vulnerability.

Vendors	Products
Lighttpd	Lighttpd

REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-12642.

URL	Resource
https://github.com/lighttpd/lighttpd1.4/commit/35cb89c103877de62d6b63d0804255475d77e5e1

CVSS Vulnerability Scoring System

V4
V3.1

Detailed values of each vector for above chart.

Attack Vector

Attack Complexity

Attack Requirements

Privileges Required

User Interaction

VS Confidentiality

VS Integrity

VS Availability

SS Confidentiality

SS Integrity

SS Availability

Detailed values of each vector for above chart.

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality Impact

Integrity Impact

Availability Impact