VDB
DEBIAN-CVE-2025-60876
DEBIAN-CVE-2025-60876
PUBLISHED
CVSS 6.5 MEDIUM
BusyBox wget thru 1.3.7 accepted raw CR (0x0D)/LF (0x0A) and other C0 control bytes in the HTTP request-target (path/query), allowing the request line to be split and attacker-controlled headers to be injected. To preserve the HTTP/1.1 request-line shape METHOD SP request-target SP HTTP/1.1, a raw space (0x20) in the request-target must also be rejected (clients should use %20).
Risk Scores
CVSS 3.1
6.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Debian:14 | busybox | 0, 1:1.37.0-6, 1:1.37.0-7 |
| Debian:13 | busybox | 0, 1.37.0-10, 1.37.0-10.1 |
| Debian:12 | busybox | *, 0, 1:1.35.0-4 |
| Debian:11 | busybox | 1.37.0-1, 1.37.0-10, 1.37.0-10.1 |
Exploit Intelligence
- sirredbeard/CVE-2025-60876 (github-poc-repo)
- sirredbeard/CVE-2025-60876 (github-poc)
- .grype.yaml (github-poc)
- .grype.yaml (github-poc)
- .grype.yaml (github-poc)
- .grype.yaml (github-poc)
- report.html (github-poc)
- .grype.yaml (github-poc)
- .grype.yaml (github-poc)
- .grype.yaml (github-poc)
…and 5 more exploits
Timeline
- Nov 10, 2025 CVE Published
- Apr 28, 2026 CVE Updated