Wiz
Vulnerability DatabaseCVE-2018-25103

CVE-2018-25103
lighttpd vulnerability analysis and mitigation

Overview

A use-after-free vulnerability exists in lighttpd versions 1.4.50 and earlier in the HTTP request parsing functionality (CVE-2018-25103). The vulnerability was discovered by VDOO researchers in November 2018 and was fixed in version 1.4.51 released in August 2018. The issue affects multiple devices and systems using the vulnerable lighttpd versions, particularly in IoT devices and embedded systems (CERT/CC, SecurityOnline).

Technical details

The vulnerability occurs in the HTTP header parsing code where pointers to header values stored in con->request are not updated if the header value is reallocated when folded header lines are appended. This can result in the server reading from invalid pointers to memory used in the same request. The issue has a CVSS v3.1 score of 5.3 (Medium) with vector AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N (SecurityOnline, RunZero).

Impact

The vulnerability can lead to information disclosure where an attacker can confirm whether a string referred to by previously-used pointer is equal to a separate string provided by the attacker. While the impact is limited as attackers can only confirm values they already know, the vulnerability affects numerous devices from various manufacturers, particularly in IoT and embedded systems (RunZero, SecurityOnline).

Mitigation and workarounds

The primary mitigation is to update lighttpd to version 1.4.51 or later which contains the fix. For systems that cannot be updated, network segmentation is recommended to prevent access to these outdated lighttpd services from untrusted networks. For specific devices like BMCs, it's recommended to isolate these interfaces to a dedicated management network and use VPNs for remote access (RunZero, CERT/CC).

Community reactions

Intel and Lenovo have indicated that their affected products are end-of-life (EOL) and will not receive updates. AMI has released updated firmware for affected systems. The vulnerability has raised concerns about supply-chain security, as many organizations failed to recognize the necessity of the security fix due to the initial lack of a CVE identifier (RunZero).

Additional resources

SourceThis report was generated using AI

Related lighttpd vulnerabilities:

CVE ID

Severity

Score

Technologies

Component name

CISA KEV exploit

Has fix

Published date

CVE-2024-3094CRITICAL10
  • NixOSNixOS
  • xz
NoYesMar 29, 2024
CVE-2025-8671HIGH7.5
  • lighttpdlighttpd
  • lighttpd
NoYesAug 13, 2025
CVE-2022-41556HIGH7.5
  • NixOSNixOS
  • lighttpd-mod_vhostdb_dbi
NoYesOct 06, 2022
CVE-2022-37797HIGH7.5
  • NixOSNixOS
  • lighttpd-mod_authn_pam
NoYesSep 12, 2022
CVE-2018-25103MEDIUM5.3
  • lighttpdlighttpd
  • lighttpd-debuginfo
NoYesJun 17, 2024

Free Vulnerability Assessment

Benchmark your Cloud Security Posture

Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.

Request assessment

Additional Wiz resources

Cloud Vulnerability DB

Cloud Vulnerability DB

A community-led vulnerabilities database

Cloud Threat Landscape

Cloud Threat Landscape

A threat intelligence database

PEACH

PEACH

A tenant isolation framework

Get a personalized demo

Ready to see Wiz in action?

"Best User Experience I have ever seen, provides full visibility to cloud workloads."
David EstlickCISO
"Wiz provides a single pane of glass to see what is going on in our cloud environments."
Adam FletcherChief Security Officer
"We know that if Wiz identifies something as critical, it actually is."
Greg PoniatowskiHead of Threat and Vulnerability Management
Get a demo