apk package
chainguard/busybox-full
pkg:apk/chainguard/busybox-full
Vulnerabilities (9)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2025-60876 | — | < 1.37.0-r52 | 1.37.0-r52 | Nov 10, 2025 | BusyBox wget thru 1.3.7 accepted raw CR (0x0D)/LF (0x0A) and other C0 control bytes in the HTTP request-target (path/query), allowing the request line to be split and attacker-controlled headers to be injected. To preserve the HTTP/1.1 request-line shape METHOD SP request-target | ||
| CVE-2024-58251 | Low | 2.5 | < 1.37.0-r49 | 1.37.0-r49 | Apr 23, 2025 | In netstat in BusyBox through 1.37.0, local users can launch of network application with an argv[0] containing an ANSI terminal escape sequence, leading to a denial of service (terminal locked up) when netstat is used by a victim. | |
| CVE-2025-46394 | — | < 1.37.0-r50 | 1.37.0-r50 | Apr 23, 2025 | In tar in BusyBox through 1.37.0, a TAR archive can have filenames hidden from a listing through the use of terminal escape sequences. | ||
| CVE-2023-42366 | — | < 0 | 0 | Nov 27, 2023 | A heap-buffer-overflow was discovered in BusyBox v.1.36.1 in the next_token function at awk.c:1159. | ||
| CVE-2023-42365 | — | < 0 | 0 | Nov 27, 2023 | A use-after-free vulnerability was discovered in BusyBox v.1.36.1 via a crafted awk pattern in the awk.c copyvar function. | ||
| CVE-2023-42364 | — | < 0 | 0 | Nov 27, 2023 | A use-after-free vulnerability in BusyBox v.1.36.1 allows attackers to cause a denial of service via a crafted awk pattern in the awk.c evaluate function. | ||
| CVE-2023-42363 | — | < 0 | 0 | Nov 27, 2023 | A use-after-free vulnerability was discovered in xasprintf function in xfuncs_printf.c:344 in BusyBox v.1.36.1. | ||
| CVE-2022-30065 | — | < 1.35.0-r3 | 1.35.0-r3 | May 18, 2022 | A use-after-free in Busybox 1.35-x's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the copyvar function. | ||
| CVE-2022-28391 | — | < 1.35.0-r3 | 1.35.0-r3 | Apr 3, 2022 | BusyBox through 1.35.0 allows remote attackers to execute arbitrary code if netstat is used to print a DNS PTR record's value to a VT compatible terminal. Alternatively, the attacker could choose to change the terminal's colors. |
- CVE-2025-60876Nov 10, 2025affected < 1.37.0-r52fixed 1.37.0-r52
BusyBox wget thru 1.3.7 accepted raw CR (0x0D)/LF (0x0A) and other C0 control bytes in the HTTP request-target (path/query), allowing the request line to be split and attacker-controlled headers to be injected. To preserve the HTTP/1.1 request-line shape METHOD SP request-target
- affected < 1.37.0-r49fixed 1.37.0-r49
In netstat in BusyBox through 1.37.0, local users can launch of network application with an argv[0] containing an ANSI terminal escape sequence, leading to a denial of service (terminal locked up) when netstat is used by a victim.
- CVE-2025-46394Apr 23, 2025affected < 1.37.0-r50fixed 1.37.0-r50
In tar in BusyBox through 1.37.0, a TAR archive can have filenames hidden from a listing through the use of terminal escape sequences.
- CVE-2023-42366Nov 27, 2023affected < 0fixed 0
A heap-buffer-overflow was discovered in BusyBox v.1.36.1 in the next_token function at awk.c:1159.
- CVE-2023-42365Nov 27, 2023affected < 0fixed 0
A use-after-free vulnerability was discovered in BusyBox v.1.36.1 via a crafted awk pattern in the awk.c copyvar function.
- CVE-2023-42364Nov 27, 2023affected < 0fixed 0
A use-after-free vulnerability in BusyBox v.1.36.1 allows attackers to cause a denial of service via a crafted awk pattern in the awk.c evaluate function.
- CVE-2023-42363Nov 27, 2023affected < 0fixed 0
A use-after-free vulnerability was discovered in xasprintf function in xfuncs_printf.c:344 in BusyBox v.1.36.1.
- CVE-2022-30065May 18, 2022affected < 1.35.0-r3fixed 1.35.0-r3
A use-after-free in Busybox 1.35-x's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the copyvar function.
- CVE-2022-28391Apr 3, 2022affected < 1.35.0-r3fixed 1.35.0-r3
BusyBox through 1.35.0 allows remote attackers to execute arbitrary code if netstat is used to print a DNS PTR record's value to a VT compatible terminal. Alternatively, the attacker could choose to change the terminal's colors.