CVE-2018-25103
Use-after-free vulnerabilities in lighttpd <= 1.4.50There exists use-after-free vulnerabilities in lighttpd <= 1.4.50 request parsing which might read from invalid pointers to memory used in the same request, not from other requests.
We have discovered 55,224 live websites that are affected by CVE-2018-25103.
Affected Software
| Product |  lighttpd |
| Category | Web Servers |
| Vulnerable Domains | 55,224 live websites (87.20% of lighttpd install base) |
| Vulnerable Versions |
|
| Vulnerable Versions Count | 35 versions ( 57.38% of all versions) |
Details
- Published - Jun 17, 2024
- Updated - Feb 13, 2025
Credits
- Thanks to VDOO Embedded Security part of JFROG for reporting the vulnerability in the If-Modified-Since header with line folding, and thanks to Marcus Wengelin for reporting the vulnerability in the Range header with a specially crafted pair of Range headers. (finder)
CVE References
CVE-2018-25103 usage by Country
 United States | 887 websites |
 Russia | 48,441 websites |
 Germany | 2,008 websites |
 France | 1,016 websites |
 Czech Republic | 365 websites |
 Singapore | 279 websites |
 New Zealand | 240 websites |
 Australia | 173 websites |
 China | 145 websites |
 Poland | 138 websites |
CVE-2018-25103 usage by TLD
| .ru | 45,010 websites |
| .com | 1,675 websites |
| .de | 1,570 websites |
| .net | 632 websites |
| .fr | 520 websites |
| .org | 355 websites |
| .cz | 235 websites |
| .pl | 114 websites |
| .ch | 101 websites |
| .eu | 97 websites |
Vulnerable Versions
Vulnerable versions are highlighted in redWebsites affected by CVE-2018-25103
Top websites that are affected by CVE-2018-25103. Please click on the "Contact us" link to get more information.| Domain | Country | Rank | Contacts |
|---|---|---|---|
| *******.*****.**.th |  Thailand | **,*** | |
| **********.com | United States | **,*** | |
| ***.*****.fi |  Sweden | **,*** | |
| *********.****.cz | Czech Republic | **,*** | |
| *******.ru | Russia | **,*** | |
| *****.to | United States | **,*** | |
| ****.ru | Russia | **,*** | |
| ************.pe |  Peru | ***,*** | |
| ********.is | Singapore | ***,*** | |
| *******.********.com | United States | ***,*** |
References
- https://blogvdoo.wordpress.com/2018/11/06/giving-back-securing-open-source-iot-projects/#more-736
- https://www.runzero.com/blog/lighttpd/
- https://github.com/lighttpd/lighttpd1.4/commit/df8e4f95614e476276a55e34da2aa8b00b1148e9
- https://github.com/lighttpd/lighttpd1.4/commit/d161f53de04bc826ce1bdaeb3dce2c72ca50a3f8
- https://9443417.fs1.hubspotusercontent-na1.net/hubfs/9443417/Security%20Advisories/2024/AMI-SA-2024002.pdf
- https://www.kb.cert.org/vuls/id/312260