VYPR
← All advisories
Medium severity5.3OSV Advisory· Published Jun 17, 2024· Updated Apr 15, 2026

CVE-2018-25103

CVE-2018-25103

Description

There exists use-after-free vulnerabilities in lighttpd <= 1.4.50 request parsing which might read from invalid pointers to memory used in the same request, not from other requests.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A use-after-free in lighttpd <=1.4.50 request parsing allows remote, unauthenticated memory reads and potential denial-of-service.

Vulnerability

Overview

A use-after-free vulnerability exists in lighttpd versions 1.4.50 and earlier, within the HTTP request parser. The bug occurs when handling folded (continuation) headers: after headers are combined, some internal pointers become stale, leading to reads from freed or invalid memory during the same request [3]. The root cause was an oversight in how data_string pointers were reused after header folding operations, as seen in the patch that introduced proper tracking (current_header) and cleaned up the folding logic [4].

Exploitation

Prerequisites

An unauthenticated attacker can trigger this vulnerability remotely by sending crafted HTTP requests with folded headers. No authentication or special network position is required (CVSS v3.1 score 5.3 AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) [2]. The attack surface includes any device or system running a vulnerable lighttpd version, which has historically been embedded in numerous IoT devices and baseboard management controllers (BMCs) from vendors such as AMI, Intel, and Lenovo [2][3].

Impact

A successful exploit can lead to two primary outcomes: (1) information disclosure – the server may leak memory contents that could reveal sensitive data, and (2) denial of service – the process can crash due to reading invalid pointers [1][3]. The original disclosure by VDOO in 2018 emphasized the DoS risk, while later analysis by Binarly in 2024 highlighted the information leak potential through string comparison against stale pointers [1][2].

Mitigation

Status

The lighttpd project fixed this vulnerability in version 1.4.51, released in August 2018 [1][3]. The patch is available in commit df8e4f95614e476276a55e34da2aa8b00b1148e9 [4]. However, many products still ship vulnerable versions, creating a supply-chain risk. Organizations are advised to upgrade to lighttpd >=1.4.51 and verify that embedded devices are updated. A CVE ID was only assigned in 2024 (CVE-2018-25103) after the vulnerability was found to still be present in numerous systems [3].

References
  1. Giving Back – Securing Open Source IoT Projects
  2. How to find outdated lighttpd services - runZero
  3. CERT/CC Vulnerability Note VU#312260
  4. [core,security] process headers after combining folded headers · lighttpd/lighttpd1.4@df8e4f9

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

2
df8e4f95614e
https://github.com/lighttpd/lighttpd1.4via osv
commit
d161f53de04b
https://github.com/lighttpd/lighttpd1.4via osv
commit

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

6

News mentions

0

No linked articles in our index yet.