CVE-2025-60876

CVSS v3.1

6.5

Medium

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Name of the Vulnerable Software and Affected Versions BusyBox versions through 1.3.7

Description The software accepts raw CR (0x0D)/LF (0x0A) and other C0 control bytes within the HTTP request-target (path/query). This allows an attacker to split the request line and inject controlled headers. Specifically, the software fails to reject raw spaces (0x20) within the request-target, which should be encoded as '%20'. This impacts the HTTP/1.1 request-line structure, which requires a space between the request-target and the HTTP version.

Recommendations Update BusyBox to a version later than 1.3.7.

Exploit

Fix

Improper Access Control

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-284

Related Identifiers

AZL-69985

AZL-70043

BDU:2026-05705

CVE-2025-60876

OESA-2026-1879

OESA-2026-1880

OESA-2026-1881

OPENSUSE-SU-2025:15834-1

OPENSUSE-SU-2026:20090-1

RHSA-2026:7418

SUSE-SU-2026:0235-1

SUSE-SU-2026:0236-1

SUSE-SU-2026:0872-1

SUSE-SU-2026:0892-1

SUSE-SU-2026:20134-1

Affected Products

Busybox

Debian

Red Os

CVE-2025-60876

Weakness Enumeration

Related Identifiers

Affected Products

References · 60