CVE-2025-26803

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2025-26803

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-26803.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2025-26803

Aliases

Downstream

DEBIAN-CVE-2025-26803

UBUNTU-CVE-2025-26803

Published

2025-02-24T16:15:15.020Z

Modified

2026-02-03T07:38:54.525012Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator

Summary

[none]

Details

The http parser in Phusion Passenger 6.0.21 through 6.0.25 before 6.0.26 allows a denial of service during parsing of a request with an invalid HTTP method.

References

Affected packages

Git / github.com/phusion/passenger

Affected ranges

Type: GIT
Repo: https://github.com/phusion/passenger
Events: Fixed

bb15591646687064ab2d578d5f9660b2a4168017

Introduced

a92fb74f0c6a1360b34e5624c7c801dbf8e5d77a

Fixed

bb15591646687064ab2d578d5f9660b2a4168017

Affected versions

release-6.*

release-6.0.21

release-6.0.22

release-6.0.23

release-6.0.24

release-6.0.25

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-26803.json"

vanir_signatures

[
    {
        "deprecated": false,
        "source": "https://github.com/phusion/passenger/commit/bb15591646687064ab2d578d5f9660b2a4168017",
        "target": {
            "file": "test/cxx/ServerKit/HttpServerTest.cpp"
        },
        "id": "CVE-2025-26803-5dbd898d",
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "8117683699263027943438562268108237960",
                "159846368970890992501970301852003687410",
                "151568209576910701785016521101112350064",
                "63733756707479690652796638646275626111",
                "149722765958687529556422848289673028715",
                "150449434108351277660639663020626306984"
            ]
        },
        "signature_type": "Line",
        "signature_version": "v1"
    },
    {
        "deprecated": false,
        "source": "https://github.com/phusion/passenger/commit/bb15591646687064ab2d578d5f9660b2a4168017",
        "target": {
            "file": "src/cxx_supportlib/ServerKit/HttpHeaderParser.h"
        },
        "id": "CVE-2025-26803-8bc64ebc",
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "56306797910680458680513858847827566425",
                "107987978948905297822111055413497539884",
                "139751539488044244338213004978195162686",
                "48406364839894459055057458748751939766",
                "126129000892226978084914690524372797523",
                "291180202743772447277637424915610914276",
                "188977284653619227003663099453266334728",
                "130226068079589049085485764552249605384",
                "173973034677336729445737777403959927395",
                "262345837927918660859994386825782137679",
                "34180744244984834765419796061187695365",
                "319341072846164040301563324607905281321",
                "192951056543837832973618483999217414949",
                "259270933250713078401013444110925756315",
                "200454570958787743735776054332748498890",
                "101634969142578602213220223203494708347",
                "135047675219560846260880392497371353209",
                "302140513471140508617751085565625995197",
                "229042749498650772366122278122817005952",
                "149958639359188816005422261764229797479",
                "93675738036891230708706215170110964907",
                "147653724487706571674821743751749355220",
                "277326315136992160470016637510034757982",
                "250013227632682964545653287013360620114",
                "209169945146585259453642589882980512688",
                "224598788670929604982815039037008832878",
                "132260228758529287773806128944413748598",
                "92489170402380554761043763242323091713",
                "29438503903987926917851014139066559631",
                "189555827958407754824182830434750045608",
                "286687158545363123408087468678845787127",
                "35525333612266263991505393357557525303",
                "216231157110694763566174999412918954479",
                "317783432281886519211468413743749793509",
                "91409750413363469243859590167290029056",
                "86336466407261702389505609711589246394",
                "12020107809228527951654593784585053154",
                "47632823417158353134236255785810907391",
                "250277989612060786273419153537044138066",
                "3891050002115813812055819233733799854",
                "250448867392114710200114583775140680642",
                "120590564049646061181460079441536230189",
                "65209118318471498303135116160411488566",
                "143137635858050786177560531215199641368",
                "218369963036741708014981733108104921139",
                "104847101121720313418745322981688040822",
                "135285745199208492867235114986874162369",
                "256331294652706969483285050770173010955",
                "200922393326521130385609927746818524290"
            ]
        },
        "signature_type": "Line",
        "signature_version": "v1"
    }
]