Medium severity6.5NVD Advisory· Published Nov 10, 2025· Updated Jun 2, 2026
CVE-2025-60876
CVE-2025-60876
Description
BusyBox wget thru 1.3.7 accepted raw CR (0x0D)/LF (0x0A) and other C0 control bytes in the HTTP request-target (path/query), allowing the request line to be split and attacker-controlled headers to be injected. To preserve the HTTP/1.1 request-line shape METHOD SP request-target SP HTTP/1.1, a raw space (0x20) in the request-target must also be rejected (clients should use %20).
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
26- BusyBox/wgetdescription
- osv-coords23 versionspkg:apk/chainguard/busyboxpkg:apk/chainguard/busybox-fullpkg:apk/wolfi/busyboxpkg:apk/wolfi/busybox-fullpkg:rpm/opensuse/busybox&distro=openSUSE%20Leap%2015.6pkg:rpm/opensuse/busybox&distro=openSUSE%20Leap%2016.0pkg:rpm/opensuse/busybox&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/busybox-links&distro=openSUSE%20Leap%2015.6pkg:rpm/suse/busybox&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP4-ESPOSpkg:rpm/suse/busybox&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP4-LTSSpkg:rpm/suse/busybox&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP5-ESPOSpkg:rpm/suse/busybox&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP5-LTSSpkg:rpm/suse/busybox&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP7pkg:rpm/suse/busybox&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP5-LTSSpkg:rpm/suse/busybox&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP4-LTSSpkg:rpm/suse/busybox&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP5-LTSSpkg:rpm/suse/busybox&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP6-LTSSpkg:rpm/suse/busybox&distro=SUSE%20Linux%20Enterprise%20Server%2016.0pkg:rpm/suse/busybox&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP4pkg:rpm/suse/busybox&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP5pkg:rpm/suse/busybox&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP6pkg:rpm/suse/busybox&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20applications%2016.0pkg:rpm/suse/busybox&distro=SUSE%20Linux%20Enterprise%20Server%20LTSS%20Extended%20Security%2012%20SP5
< 1.37.0-r52+ 22 more
- (no CPE)range: < 1.37.0-r52
- (no CPE)range: < 1.37.0-r52
- (no CPE)range: < 1.37.0-r52
- (no CPE)range: < 1.37.0-r52
- (no CPE)range: < 1.37.0-150500.10.14.1
- (no CPE)range: < 1.37.0-160000.4.1
- (no CPE)range: < 1.37.0-8.1
- (no CPE)range: < 1.37.0-150500.7.9.1
- (no CPE)range: < 1.35.0-150400.3.14.1
- (no CPE)range: < 1.35.0-150400.3.14.1
- (no CPE)range: < 1.37.0-150500.10.14.1
- (no CPE)range: < 1.37.0-150500.10.14.1
- (no CPE)range: < 1.37.0-150700.18.10.1
- (no CPE)range: < 1.35.0-10.3.1
- (no CPE)range: < 1.35.0-150400.3.14.1
- (no CPE)range: < 1.37.0-150500.10.14.1
- (no CPE)range: < 1.37.0-150500.10.14.1
- (no CPE)range: < 1.37.0-160000.4.1
- (no CPE)range: < 1.35.0-150400.3.14.1
- (no CPE)range: < 1.37.0-150500.10.14.1
- (no CPE)range: < 1.37.0-150500.10.14.1
- (no CPE)range: < 1.37.0-160000.4.1
- (no CPE)range: < 1.35.0-10.3.1
Patches
Vulnerability mechanics
References
4- gist.github.com/subyumatest/41554af6a72aedaacaec026adc311092nvdExploitThird Party Advisory
- lists.busybox.net/pipermail/busybox/attachments/20250823/ccdc96ef/attachment-0001.htmnvdProduct
- lists.busybox.net/pipermail/busybox/attachments/20250828/e7f90492/attachment.htmnvdProduct
- cert-portal.siemens.com/productcert/html/ssa-253495.htmlnvd
News mentions
0No linked articles in our index yet.