CVE-2025-60876
ADVISORY - nistSummary
BusyBox wget thru 1.3.7 accepted raw CR (0x0D)/LF (0x0A) and other C0 control bytes in the HTTP request-target (path/query), allowing the request line to be split and attacker-controlled headers to be injected. To preserve the HTTP/1.1 request-line shape METHOD SP request-target SP HTTP/1.1, a raw space (0x20) in the request-target must also be rejected (clients should use %20).
EPSS Score: 0.00052 (0.164)
Common Weakness Enumeration (CWE)
ADVISORY - nist
Improper Access Control
ADVISORY - redhat
Improper Neutralization of CRLF Sequences ('CRLF Injection')
Alpine
CREATED
UPDATED
ADVISORY IDCVE-2025-60876
EXPLOITABILITY SCORE
-
EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-
| Package | Type | OS Name | OS Version | Affected Ranges | Fix Versions |
|---|---|---|---|---|---|
| alpine/busybox | apk | alpine | 3.21 | <=1.37.0-r13 | Not yet available |
| alpine/busybox | apk | alpine | 3.23 | <=1.37.0-r30 | Not yet available |
| alpine/busybox | apk | alpine | edge | <=1.36.1-r2 | Not yet available |
| alpine/busybox | apk | alpine | edge | <=1.35.0-r22 | Not yet available |
| alpine/busybox | apk | alpine | edge | <=1.36.1-r27 | Not yet available |
| alpine/busybox | apk | alpine | edge | <=1.37.0-r30 | Not yet available |
| alpine/busybox | apk | alpine | edge | <=1.37.0-r31 | Not yet available |
| alpine/busybox | apk | alpine | edge | <=1.35.0-r24 | Not yet available |
| alpine/busybox | apk | alpine | edge | <=1.34.0_r0 | Not yet available |
| alpine/busybox | apk | alpine | edge | <=1.36.1-r28 | Not yet available |
| alpine/busybox | apk | alpine | edge | <=1.35.0-r20 | Not yet available |
| alpine/busybox | apk | alpine | edge | <=1.35.0-r18 | Not yet available |
| alpine/busybox | apk | alpine | edge | <=1.29.3-r10 | Not yet available |
| alpine/busybox | apk | alpine | edge | <=1.35.0-r30 | Not yet available |
| alpine/busybox | apk | alpine | edge | <=1.35.0-r21 | Not yet available |
| alpine/busybox | apk | alpine | edge | <=1.37.0-r28 | Not yet available |
| alpine/busybox | apk | alpine | edge | <=1.36.1-r25 | Not yet available |
| alpine/busybox | apk | alpine | edge | <=1.35.0-r7 | Not yet available |
| alpine/busybox | apk | alpine | edge | <=1.35.0-r29 | Not yet available |
| alpine/busybox | apk | alpine | edge | <=1.35.0-r17 | Not yet available |
| alpine/busybox | apk | alpine | edge | <=1.37.0-r29 | Not yet available |
| alpine/busybox | apk | alpine | edge | <=1.34.0-r0 | Not yet available |
| alpine/busybox | apk | alpine | edge | <=1.35.0-r13 | Not yet available |
| alpine/busybox | apk | alpine | edge | <=1.35.0-r12 | Not yet available |
| alpine/busybox | apk | alpine | edge | <=1.37.0-r24 | Not yet available |
| alpine/busybox | apk | alpine | edge | <=1.28.3-r2 | Not yet available |
| alpine/busybox | apk | alpine | edge | <=1.35.0-r19 | Not yet available |
| alpine/busybox | apk | alpine | edge | <=1.33.0-r5 | Not yet available |
| alpine/busybox | apk | alpine | edge | <=1.30.1-r2 | Not yet available |
| alpine/busybox | apk | alpine | edge | <=1.36.1-r32 | Not yet available |
| alpine/busybox | apk | alpine | edge | <=1.36.1-r31 | Not yet available |
| alpine/busybox | apk | alpine | edge | <=1.37.0-r26 | Not yet available |
| alpine/busybox | apk | alpine | edge | <=1.35.0-r15 | Not yet available |
| alpine/busybox | apk | alpine | edge | <=1.35.0-r23 | Not yet available |
| alpine/busybox | apk | alpine | edge | <=1.27.2-r4 | Not yet available |
| alpine/busybox | apk | alpine | edge | <=1.35.0-r14 | Not yet available |
| alpine/busybox | apk | alpine | edge | <=1.35.0-r10 | Not yet available |
| alpine/busybox | apk | alpine | edge | <=1.37.0-r27 | Not yet available |
| alpine/busybox | apk | alpine | edge | <=1.35.0-r27 | Not yet available |
| alpine/busybox | apk | alpine | edge | <=1.37.0-r25 | Not yet available |
| alpine/busybox | apk | alpine | edge | <=1.37.0-r22 | Not yet available |
| alpine/busybox | apk | alpine | edge | <=1.36.1-r29 | Not yet available |
| alpine/busybox | apk | alpine | edge | <=1.35.0-r16 | Not yet available |
| alpine/busybox | apk | alpine | edge | <=1.36.1-r26 | Not yet available |
| alpine/busybox | apk | alpine | edge | <=1.37.0-r23 | Not yet available |
| alpine/busybox | apk | alpine | edge | <=1.36.1-r30 | Not yet available |
| alpine/busybox | apk | alpine | edge | <=1.35.0-r25 | Not yet available |
| alpine/busybox | apk | alpine | edge | <=1.35.0-r28 | Not yet available |
| alpine/busybox | apk | alpine | 3.21 | <=1.27.2-r4 | Not yet available |
| alpine/busybox | apk | alpine | 3.21 | <=1.28.3-r2 | Not yet available |
| alpine/busybox | apk | alpine | 3.21 | <=1.29.3-r10 | Not yet available |
| alpine/busybox | apk | alpine | 3.21 | <=1.30.1-r2 | Not yet available |
| alpine/busybox | apk | alpine | 3.21 | <=1.33.0-r5 | Not yet available |
| alpine/busybox | apk | alpine | 3.21 | <=1.34.0-r0 | Not yet available |
| alpine/busybox | apk | alpine | 3.21 | <=1.35.0-r17 | Not yet available |
| alpine/busybox | apk | alpine | 3.21 | <=1.35.0-r7 | Not yet available |
| alpine/busybox | apk | alpine | 3.21 | <=1.36.1-r2 | Not yet available |
| alpine/busybox | apk | alpine | 3.21 | <=1.36.1-r25 | Not yet available |
| alpine/busybox | apk | alpine | 3.21 | <=1.36.1-r27 | Not yet available |
| alpine/busybox | apk | alpine | 3.21 | <=1.36.1-r30 | Not yet available |
| alpine/busybox | apk | alpine | 3.21 | <=1.37.0-r14 | Not yet available |
| alpine/busybox | apk | alpine | 3.20 | <=1.27.2-r4 | Not yet available |
| alpine/busybox | apk | alpine | 3.20 | <=1.28.3-r2 | Not yet available |
| alpine/busybox | apk | alpine | 3.20 | <=1.29.3-r10 | Not yet available |
| alpine/busybox | apk | alpine | 3.20 | <=1.30.1-r2 | Not yet available |
| alpine/busybox | apk | alpine | 3.20 | <=1.33.0-r5 | Not yet available |
| alpine/busybox | apk | alpine | 3.20 | <=1.34.0-r0 | Not yet available |
| alpine/busybox | apk | alpine | 3.20 | <=1.35.0-r17 | Not yet available |
| alpine/busybox | apk | alpine | 3.20 | <=1.35.0-r7 | Not yet available |
| alpine/busybox | apk | alpine | 3.20 | <=1.36.1-r2 | Not yet available |
| alpine/busybox | apk | alpine | 3.20 | <=1.36.1-r25 | Not yet available |
| alpine/busybox | apk | alpine | 3.20 | <=1.36.1-r27 | Not yet available |
| alpine/busybox | apk | alpine | 3.20 | <=1.36.1-r28 | Not yet available |
| alpine/busybox | apk | alpine | 3.20 | <=1.36.1-r29 | Not yet available |
| alpine/busybox | apk | alpine | 3.20 | <=1.36.1-r30 | Not yet available |
| alpine/busybox | apk | alpine | 3.20 | <=1.36.1-r31 | Not yet available |
| alpine/busybox | apk | alpine | 3.22 | <=1.27.2-r4 | Not yet available |
| alpine/busybox | apk | alpine | 3.22 | <=1.28.3-r2 | Not yet available |
| alpine/busybox | apk | alpine | 3.22 | <=1.29.3-r10 | Not yet available |
| alpine/busybox | apk | alpine | 3.22 | <=1.30.1-r2 | Not yet available |
| alpine/busybox | apk | alpine | 3.22 | <=1.33.0-r5 | Not yet available |
| alpine/busybox | apk | alpine | 3.22 | <=1.34.0-r0 | Not yet available |
| alpine/busybox | apk | alpine | 3.22 | <=1.35.0-r17 | Not yet available |
| alpine/busybox | apk | alpine | 3.22 | <=1.35.0-r7 | Not yet available |
| alpine/busybox | apk | alpine | 3.22 | <=1.36.1-r2 | Not yet available |
| alpine/busybox | apk | alpine | 3.22 | <=1.36.1-r25 | Not yet available |
| alpine/busybox | apk | alpine | 3.22 | <=1.36.1-r27 | Not yet available |
| alpine/busybox | apk | alpine | 3.22 | <=1.36.1-r30 | Not yet available |
| alpine/busybox | apk | alpine | 3.22 | <=1.37.0-r19 | Not yet available |
| alpine/busybox | apk | alpine | 3.22 | <=1.37.0-r20 | Not yet available |
Severity and metrics
No CVSS data available from this advisory.
NIST
CREATED
UPDATED
ADVISORY IDCVE-2025-60876
EXPLOITABILITY SCORE
3.9
EXPLOITS FOUND
COMMON WEAKNESS ENUMERATION (CWE)
CVSS SCORE
6.5mediumDebian
CREATED
UPDATED
ADVISORY IDCVE-2025-60876
EXPLOITABILITY SCORE
-
EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-
Ubuntu
CREATED
UPDATED
ADVISORY IDCVE-2025-60876
EXPLOITABILITY SCORE
-
EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-
CVSS SCORE
N/AmediumRed Hat
CREATED
UPDATED
ADVISORY IDCVE-2025-60876
EXPLOITABILITY SCORE
2.8
EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)
CVSS SCORE
5.4lowChainguard
CREATED
UPDATED
ADVISORY ID
CGA-hgjv-8vrq-5jv9
EXPLOITABILITY SCORE
-
EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-
minimos
CREATED
UPDATED
ADVISORY ID
MINI-3729-6w87-2929
EXPLOITABILITY SCORE
-
EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-