CVE-2025-26803

The http parser in Phusion Passenger 6.0.21 through 6.0.25 before 6.0.26 allows a denial of service during parsing of a request with an invalid HTTP method.

References

Affected packages

Git / github.com/phusion/passenger

Affected ranges

Type: GIT
Repo: https://github.com/phusion/passenger
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

bb15591646687064ab2d578d5f9660b2a4168017

Affected versions

release-1.*

release-1.0.0

release-1.0.1

release-1.0.2

release-1.0.3

release-1.0.4

release-1.0.5

release-1.9.0

release-1.9.1

release-2.*

release-2.0.1

release-2.0.2

release-2.1.1

release-2.1.2

release-2.1.3

release-2.2.0

release-2.2.1

release-2.2.10

release-2.2.11

release-2.2.12

release-2.2.13

release-2.2.14

release-2.2.15

release-2.2.2

release-2.2.3

release-2.2.4

release-2.2.5

release-2.2.6

release-2.2.7

release-2.2.8

release-2.2.9

release-3.*

release-3.0.0

release-3.0.0.pre1

release-3.0.0.pre2

release-3.0.0.pre3

release-3.0.0.rc1

release-3.0.1

release-3.0.10

release-3.0.11

release-3.0.12

release-3.0.13

release-3.0.14

release-3.0.15

release-3.0.17

release-3.0.18

release-3.0.2

release-3.0.3

release-3.0.4

release-3.0.5

release-3.0.6

release-3.0.7

release-3.0.8

release-3.0.9

release-3.9.0.beta

release-3.9.1.beta

release-3.9.2.beta

release-3.9.3.rc1

release-3.9.4.rc2

release-3.9.5.rc3

release-4.*

release-4.0.0.rc4

release-4.0.0.rc6

release-4.0.1

release-4.0.10

release-4.0.13

release-4.0.14

release-4.0.16

release-4.0.17

release-4.0.18

release-4.0.19

release-4.0.2

release-4.0.20

release-4.0.21

release-4.0.23

release-4.0.24

release-4.0.25

release-4.0.26

release-4.0.27

release-4.0.28

release-4.0.29

release-4.0.3

release-4.0.30

release-4.0.31

release-4.0.32

release-4.0.33

release-4.0.34

release-4.0.35

release-4.0.36

release-4.0.37

release-4.0.38

release-4.0.39

release-4.0.4

release-4.0.40

release-4.0.41

release-4.0.42

release-4.0.43

release-4.0.44

release-4.0.45

release-4.0.46

release-4.0.48

release-4.0.49

release-4.0.5

release-4.0.50

release-4.0.51

release-4.0.52

release-4.0.53

release-4.0.55

release-4.0.56

release-4.0.57

release-4.0.58

release-4.0.59

release-4.0.6

release-4.0.7

release-4.0.8

release-5.*

release-5.0.0.beta1

release-5.0.0.beta2

release-5.0.0.beta3

release-5.0.0.rc1

release-5.0.0.rc2

release-5.0.1

release-5.0.10

release-5.0.11

release-5.0.13

release-5.0.14

release-5.0.15

release-5.0.16

release-5.0.17

release-5.0.18

release-5.0.19

release-5.0.2

release-5.0.20

release-5.0.21

release-5.0.22

release-5.0.23

release-5.0.24

release-5.0.25

release-5.0.26

release-5.0.27

release-5.0.28

release-5.0.29

release-5.0.3

release-5.0.30

release-5.0.4

release-5.0.5

release-5.0.6

release-5.0.7

release-5.0.8

release-5.0.9

release-5.1.0

release-5.1.1

release-5.1.11

release-5.1.12

release-5.1.2

release-5.1.3

release-5.1.4

release-5.1.5

release-5.1.6

release-5.1.7

release-5.1.8

release-5.2.0

release-5.2.1

release-5.2.2

release-5.2.3

release-5.3.0

release-5.3.1

release-5.3.2

release-5.3.3

release-5.3.4

release-5.3.5

release-5.3.6

release-5.3.7

release-6.*

release-6.0.0

release-6.0.1

release-6.0.10

release-6.0.11

release-6.0.12

release-6.0.13

release-6.0.14

release-6.0.15

release-6.0.16

release-6.0.17

release-6.0.18

release-6.0.19

release-6.0.2

release-6.0.20

release-6.0.21

release-6.0.22

release-6.0.23

release-6.0.24

release-6.0.25

release-6.0.3

release-6.0.4

release-6.0.5

release-6.0.6

release-6.0.7

release-6.0.8

release-6.0.9

Database specific

{
    "vanir_signatures": [
        {
            "id": "CVE-2025-26803-5dbd898d",
            "signature_type": "Line",
            "target": {
                "file": "test/cxx/ServerKit/HttpServerTest.cpp"
            },
            "digest": {
                "line_hashes": [
                    "8117683699263027943438562268108237960",
                    "159846368970890992501970301852003687410",
                    "151568209576910701785016521101112350064",
                    "63733756707479690652796638646275626111",
                    "149722765958687529556422848289673028715",
                    "150449434108351277660639663020626306984"
                ],
                "threshold": 0.9
            },
            "source": "https://github.com/phusion/passenger/commit/bb15591646687064ab2d578d5f9660b2a4168017",
            "signature_version": "v1",
            "deprecated": false
        },
        {
            "id": "CVE-2025-26803-8bc64ebc",
            "signature_type": "Line",
            "target": {
                "file": "src/cxx_supportlib/ServerKit/HttpHeaderParser.h"
            },
            "digest": {
                "line_hashes": [
                    "56306797910680458680513858847827566425",
                    "107987978948905297822111055413497539884",
                    "139751539488044244338213004978195162686",
                    "48406364839894459055057458748751939766",
                    "126129000892226978084914690524372797523",
                    "291180202743772447277637424915610914276",
                    "188977284653619227003663099453266334728",
                    "130226068079589049085485764552249605384",
                    "173973034677336729445737777403959927395",
                    "262345837927918660859994386825782137679",
                    "34180744244984834765419796061187695365",
                    "319341072846164040301563324607905281321",
                    "192951056543837832973618483999217414949",
                    "259270933250713078401013444110925756315",
                    "200454570958787743735776054332748498890",
                    "101634969142578602213220223203494708347",
                    "135047675219560846260880392497371353209",
                    "302140513471140508617751085565625995197",
                    "229042749498650772366122278122817005952",
                    "149958639359188816005422261764229797479",
                    "93675738036891230708706215170110964907",
                    "147653724487706571674821743751749355220",
                    "277326315136992160470016637510034757982",
                    "250013227632682964545653287013360620114",
                    "209169945146585259453642589882980512688",
                    "224598788670929604982815039037008832878",
                    "132260228758529287773806128944413748598",
                    "92489170402380554761043763242323091713",
                    "29438503903987926917851014139066559631",
                    "189555827958407754824182830434750045608",
                    "286687158545363123408087468678845787127",
                    "35525333612266263991505393357557525303",
                    "216231157110694763566174999412918954479",
                    "317783432281886519211468413743749793509",
                    "91409750413363469243859590167290029056",
                    "86336466407261702389505609711589246394",
                    "12020107809228527951654593784585053154",
                    "47632823417158353134236255785810907391",
                    "250277989612060786273419153537044138066",
                    "3891050002115813812055819233733799854",
                    "250448867392114710200114583775140680642",
                    "120590564049646061181460079441536230189",
                    "65209118318471498303135116160411488566",
                    "143137635858050786177560531215199641368",
                    "218369963036741708014981733108104921139",
                    "104847101121720313418745322981688040822",
                    "135285745199208492867235114986874162369",
                    "256331294652706969483285050770173010955",
                    "200922393326521130385609927746818524290"
                ],
                "threshold": 0.9
            },
            "source": "https://github.com/phusion/passenger/commit/bb15591646687064ab2d578d5f9660b2a4168017",
            "signature_version": "v1",
            "deprecated": false
        }
    ]
}