CVE-2025-12642

Publication date 3 November 2025

Last updated 10 July 2026


Ubuntu priority

Cvss 3 Severity Score

9.1 · Critical

Score breakdown

Description

lighttpd1.4.80 incorrectly merged trailer fields into headers after http request parsing. This behavior can be exploited to conduct HTTP Header Smuggling attacks. Successful exploitation may allow an attacker to: * Bypass access control rules * Inject unsafe input into backend logic that trusts request headers * Execute HTTP Request Smuggling attacks under some conditions This issue affects lighttpd1.4.80

Status

Package Ubuntu Release Status
lighttpd 26.04 LTS resolute
Needs evaluation
25.10 questing Ignored end of life, was needs-triage
25.04 plucky Ignored end of life, was needs-triage
24.04 LTS noble
Needs evaluation
22.04 LTS jammy
Needs evaluation
20.04 LTS focal
Needs evaluation
18.04 LTS bionic
Needs evaluation
16.04 LTS xenial Ignored end of ESM support, was needs-triage
14.04 LTS trusty
Needs evaluation

Severity score breakdown

CVSS version:

Base score 6.9 · Medium

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N

Base score 9.1 · Critical

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N


Access our resources on patching vulnerabilities