CVE-2025-60876

EUVD-2025-50804
BusyBox wget thru 1.3.7 accepted raw CR (0x0D)/LF (0x0A) and other C0 control bytes in the HTTP request-target (path/query), allowing the request line to be split and attacker-controlled headers to be injected. To preserve the HTTP/1.1 request-line shape METHOD SP request-target SP HTTP/1.1, a raw space (0x20) in the request-target must also be rejected (clients should use %20).
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
6.5 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 17%
Affected Products (NVD)
VendorProductVersion
busyboxbusybox
𝑥
≤ 1.37.0
𝑥
= Vulnerable software versions
Early Detection
Affected products identified ahead of NVD analysis through intelligence sources.
VendorProductVersionSource
SiemensRUGGEDCOM RST2428P
𝑥
< V4.0
ADP
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
busybox
bionic
needed
focal
needed
jammy
needed
noble
needed
plucky
ignored
questing
needed
resolute
needed
trusty
needed
xenial
needed
openSUSE logo
openSUSE / SLES Releases
openSUSE Product
Release
busybox
suse enterprise desktop 15 SP7
1.37.0-150700.18.10.1
fixed
suse enterprise sap 15 SP5
1.37.0-150500.10.14.1
fixed
suse enterprise sap 15 SP6
1.37.0-150500.10.14.1
fixed
suse enterprise sap 15 SP7
1.37.0-150700.18.10.1
fixed
suse enterprise server 15 SP4
1.35.0-150400.3.14.1
fixed
suse enterprise server 15 SP5
1.37.0-150500.10.14.1
fixed
suse enterprise server 15 SP6
1.37.0-150500.10.14.1
fixed
suse enterprise server 15 SP7
1.37.0-150700.18.10.1
fixed
busybox-static
suse enterprise desktop 15 SP7
1.37.0-150700.18.10.1
fixed
suse enterprise sap 15 SP5
1.37.0-150500.10.14.1
fixed
suse enterprise sap 15 SP6
1.37.0-150500.10.14.1
fixed
suse enterprise sap 15 SP7
1.37.0-150700.18.10.1
fixed
suse enterprise server 15 SP4
1.35.0-150400.3.14.1
fixed
suse enterprise server 15 SP5
1.37.0-150500.10.14.1
fixed
suse enterprise server 15 SP6
1.37.0-150500.10.14.1
fixed
suse enterprise server 15 SP7
1.37.0-150700.18.10.1
fixed