AZL-70043

See a problem?

Import Source

https://github.com/microsoft/AzureLinuxVulnerabilityData/blob/main/osv/AZL-70043.json

JSON Data

https://api.test.osv.dev/v1/vulns/AZL-70043

Upstream

CVE-2025-60876

Published

2025-11-10T20:15:48Z

Modified

2026-04-01T05:21:41.271483Z

Summary

CVE-2025-60876 affecting package busybox 1.36.1-22

Details

BusyBox wget thru 1.3.7 accepted raw CR (0x0D)/LF (0x0A) and other C0 control bytes in the HTTP request-target (path/query), allowing the request line to be split and attacker-controlled headers to be injected. To preserve the HTTP/1.1 request-line shape METHOD SP request-target SP HTTP/1.1, a raw space (0x20) in the request-target must also be rejected (clients should use %20).

References

https://nvd.nist.gov/vuln/detail/CVE-2025-60876

Affected packages

Azure Linux:3 / busybox

Package

Name: busybox
Purl: pkg:rpm/azure-linux/busybox

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Last affected

1.36.1-22

Database specific

source

"https://github.com/microsoft/AzureLinuxVulnerabilityData/blob/main/osv/AZL-70043.json"