CVE-2025-60876 Affecting busybox package, versions *
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-UBUNTU2510-BUSYBOX-13882344
- published13 Nov 2025
- disclosed10 Nov 2025
Introduced: 10 Nov 2025
NewCVE-2025-60876 (opens in a new tab)How to fix?
There is no fixed version for Ubuntu:25.10 busybox.
NVD Description
Note: Versions mentioned in the description apply only to the upstream busybox package and not the busybox package as distributed by Ubuntu.
See How to fix? for Ubuntu:25.10 relevant fixed versions and status.
BusyBox wget thru 1.3.7 accepted raw CR (0x0D)/LF (0x0A) and other C0 control bytes in the HTTP request-target (path/query), allowing the request line to be split and attacker-controlled headers to be injected. To preserve the HTTP/1.1 request-line shape METHOD SP request-target SP HTTP/1.1, a raw space (0x20) in the request-target must also be rejected (clients should use %20).
References
- http://people.ubuntu.com/~ubuntu-security/cve/CVE-2025-60876
- https://gist.github.com/subyumatest/41554af6a72aedaacaec026adc311092
- https://lists.busybox.net/pipermail/busybox/attachments/20250823/ccdc96ef/attachment-0001.htm
- https://lists.busybox.net/pipermail/busybox/attachments/20250828/e7f90492/attachment.htm