AZL-69985

See a problem?

Import Source

https://github.com/microsoft/AzureLinuxVulnerabilityData/blob/main/osv/AZL-69985.json

JSON Data

https://api.test.osv.dev/v1/vulns/AZL-69985

Upstream

CVE-2025-60876

Published

2025-11-10T20:15:48Z

Modified

2026-04-01T05:21:40.277950Z

Summary

CVE-2025-60876 affecting package busybox 1.35.0-18

Details

BusyBox wget thru 1.3.7 accepted raw CR (0x0D)/LF (0x0A) and other C0 control bytes in the HTTP request-target (path/query), allowing the request line to be split and attacker-controlled headers to be injected. To preserve the HTTP/1.1 request-line shape METHOD SP request-target SP HTTP/1.1, a raw space (0x20) in the request-target must also be rejected (clients should use %20).

References

https://nvd.nist.gov/vuln/detail/CVE-2025-60876

Affected packages

Azure Linux:2 / busybox

Package

Name: busybox
Purl: pkg:rpm/azure-linux/busybox

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Last affected

1.35.0-18

Database specific

source

"https://github.com/microsoft/AzureLinuxVulnerabilityData/blob/main/osv/AZL-69985.json"