CVE-2025-60876: BusyBox wget thru 1.3.7 accepted raw CR (0x0D)/LF (0x0A) and other C0 control bytes in the HTTP request-target (path/query), allowing the request line to be split and attacker-controlled headers to be injected. To preserve the HTTP/1.1 request-line shape METHOD SP request-target SP HTTP/1.1, a raw space (0x20) in the request-target must also be rejected (clients should use %20).
Overview
- Severity
- Critical (CVSS 9.4)
- CVSS Vector
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L/E:P
- Exploit Status
- Not Exploited
- Patch Tuesday
- 2025-Nov
- Released
- 2025-11-13
- Last Updated
- 2026-03-31
- EPSS Score
- 0.04% (percentile: 13.3%)
Affected Products (8)
Other
- 20743-17084
- 20892-17084
- 20948-17086
- 20970-17084
- 21096-17084
- 20103-17086
- 20626-17084
- 20891-17086
Revision History
- 2025-11-13: Information published.
- 2025-12-07: Information published.
- 2026-02-18: Information published.
- 2026-03-03: Information published.
- 2026-03-04: Information published.
- 2026-03-31: Information published.