Unrated severityNVD Advisory· Published Nov 3, 2025· Updated Nov 3, 2025

HTTP Header Smuggling via Trailer Merge

CVE-2025-12642

Description

lighttpd1.4.80 incorrectly merged trailer fields into headers after http request parsing. This behavior can be exploited to conduct HTTP Header Smuggling attacks.

Successful exploitation may allow an attacker to:

Bypass access control rules
Inject unsafe input into backend logic that trusts request headers
Execute HTTP Request Smuggling attacks under some conditions

This issue affects lighttpd1.4.80

Affected products

Lighttpd/Lighttpdv5
Range: 1.4.80

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/lighttpd/lighttpd1.4/commit/35cb89c103877de62d6b63d0804255475d77e5e1mitre

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000