CVE-2025-60876

BusyBox wget thru 1.3.7 accepted raw CR (0x0D)/LF (0x0A) and other C0 control bytes in the HTTP request-target (path/query), allowing the request line to be split and attacker-controlled headers to be injected. To preserve the HTTP/1.1 request-line shape METHOD SP request-target SP HTTP/1.1, a raw space (0x20) in the request-target must also be rejected (clients should use %20).
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
6.5 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
mitreCNA
---
---
CISA-ADPADP
6.5 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 11%
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
busybox
questing
deferred
plucky
deferred
noble
deferred
jammy
deferred
focal
deferred
bionic
deferred
xenial
deferred
trusty
deferred
Common Weakness Enumeration
Vulnerability Media Exposure
References
https://gist.github.com/subyumatest/41554af6a72aedaacaec026adc311092
https://lists.busybox.net/pipermail/busybox/attachments/20250823/ccdc96ef/attachment-0001.htm
https://lists.busybox.net/pipermail/busybox/attachments/20250828/e7f90492/attachment.htm