CVE-2025-12642CRITICAL 9.1EPSS p21.5%

CVE-2025-12642CVE-2025-12642

Description

lighttpd1.4.80 incorrectly merged trailer fields into headers after http request parsing. This behavior can be exploited to conduct HTTP Header Smuggling attacks. Successful exploitation may allow an attacker to: * Bypass access control rules * Inject unsafe input into backend logic that trusts request headers * Execute HTTP Request Smuggling attacks under some conditions This issue affects lighttpd1.4.80

Scoring

CVSS 3.19.1 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
EPSS0.30% probability of exploitation · percentile 21.5% · 2026-06-18T12:00:27Z
Published2025-11-03
Last modified2025-11-12

Underlying weaknesses· 1

CWE-444

References

  1. https://github.com/lighttpd/lighttpd1.4/commit/35cb89c103877de62d6b63d0804255475d77e5e1

1

TypeTargetConfidenceTier
WeaknessInconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')cwe-4440%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2025-22871
CVE
CVE-2026-28368
CVE
CVE-2026-1502
CVE
CVE-2026-22903
CVE
CVE-2025-14523
CVE
CVE-2026-28367
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.