CVE-2025-60876

BusyBox wget thru 1.3.7 accepted raw CR (0x0D)/LF (0x0A) and other C0 control bytes in the HTTP request-target (path/query), allowing the request line to be split and attacker-controlled headers to be injected. To preserve the HTTP/1.1 request-line shape METHOD SP request-target SP HTTP/1.1, a raw space (0x20) in the request-target must also be rejected (clients should use %20).

CVSS v3 6.5 MEDIUM

6.5^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 3.9 / Impact : 2.5

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://gist.github.com/subyumatest/41554af6a72aedaacaec026adc311092	Exploit Third Party Advisory
https://lists.busybox.net/pipermail/busybox/attachments/20250823/ccdc96ef/attachment-0001.htm	Product
https://lists.busybox.net/pipermail/busybox/attachments/20250828/e7f90492/attachment.htm	Product

Configurations

Configuration 1 (hide)

cpe:2.3:a:busybox:busybox:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2025-11-10 20:15

Updated : 2025-12-31 18:29

NVD link : CVE-2025-60876

Mitre link : CVE-2025-60876

CVE.ORG link : CVE-2025-60876

JSON object : View

Products Affected

busybox

busybox

CWE

CWE-284

Improper Access Control

{"id": "CVE-2025-60876", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 2.5, "exploitabilityScore": 3.9}]}, "published": "2025-11-10T20:15:48.683", "references": [{"url": "https://gist.github.com/subyumatest/41554af6a72aedaacaec026adc311092", "tags": ["Exploit", "Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://lists.busybox.net/pipermail/busybox/attachments/20250823/ccdc96ef/attachment-0001.htm", "tags": ["Product"], "source": "cve@mitre.org"}, {"url": "https://lists.busybox.net/pipermail/busybox/attachments/20250828/e7f90492/attachment.htm", "tags": ["Product"], "source": "cve@mitre.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "description": [{"lang": "en", "value": "CWE-284"}]}], "descriptions": [{"lang": "en", "value": "BusyBox wget thru 1.3.7 accepted raw CR (0x0D)/LF (0x0A) and other C0 control bytes in the HTTP request-target (path/query), allowing the request line to be split and attacker-controlled headers to be injected. To preserve the HTTP/1.1 request-line shape METHOD SP request-target SP HTTP/1.1, a raw space (0x20) in the request-target must also be rejected (clients should use %20)."}, {"lang": "es", "value": "BusyBox wget hasta la versi\u00f3n 1.3.7 aceptaba CR (0x0D)/LF (0x0A) sin procesar y otros bytes de control C0 en el *request-target* HTTP (ruta/consulta), lo que permit\u00eda dividir la l\u00ednea de solicitud e inyectar encabezados controlados por el atacante. Para preservar la forma de la l\u00ednea de solicitud HTTP/1.1 *M\u00c9TODO SP request-target SP HTTP/1.1*, un espacio sin procesar (0x20) en el *request-target* tambi\u00e9n debe ser rechazado (los clientes deben usar %20)."}], "lastModified": "2025-12-31T18:29:41.550", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:busybox:busybox:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "D0BD983A-697D-4431-90F9-31956863BD41", "versionEndIncluding": "1.37.0"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}