CVE-2025-12642
HTTP Header Smuggling via Trailer Mergelighttpd1.4.80 incorrectly merged trailer fields into headers after http request parsing. This behavior can be exploited to conduct HTTP Header Smuggling attacks. Successful exploitation may allow an attacker to: * Bypass access control rules * Inject unsafe input into backend logic that trusts request headers * Execute HTTP Request Smuggling attacks under some conditions This issue affects lighttpd1.4.80
We have discovered 3 live websites that are affected by CVE-2025-12642.
Affected Software
| Product |  lighttpd |
| Category | Web Servers |
| Vulnerable Domains | 3 live websites (less than 0.1% of lighttpd install base) |
| Vulnerable Versions |
|
| Vulnerable Versions Count | 1 versions ( 1.72% of all versions) |
Common Weakness Enumeration
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')Details
- Published - Nov 3, 2025
- Updated - Nov 3, 2025
Credits
- Sebastiano Sartor <@sebsrt> (finder)
CVE References
CWE References
CWE
Website Distribution by Country
Number of websites using CVE-2025-12642 United States | 2 websites |
 Germany | 1 websites |
Website Distribution by TLD
Number of websites using CVE-2025-12642| .com | 1 websites |
| .de | 1 websites |
| .org | 1 websites |
Vulnerable Versions
Vulnerable versions are highlighted in redWebsites affected by CVE-2025-12642
Top websites that are affected by CVE-2025-12642. Please click on the "Contact us" link to get more information.| Domain | Country | Rank | Contacts |
|---|---|---|---|
| *****.******.*********.de | Germany | **,***,*** | |
| *************.org | United States | **,***,*** | |
| *.*******.com | United States | **,***,*** |
FAQ
CVE-2025-12642 is Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') in lighttpd
A total of 3 websites have been identified as vulnerable to CVE-2025-12642, based on global website indexing conducted by WebTechSurvey.
The lighttpd is affected by the CVE-2025-12642 vulnerability.
lighttpd versions up to 1.4.81 are vulnerable to CVE-2025-12642.
CVE-2025-12642 is resolved in version 1.4.81 of lighttpd.