The http parser in Phusion Passenger 6.0.21 through 6.0.25 before 6.0.26 allows a denial of service during parsing of a request with an invalid HTTP method.
{ "vanir_signatures": [ { "id": "CVE-2025-26803-5dbd898d", "signature_type": "Line", "target": { "file": "test/cxx/ServerKit/HttpServerTest.cpp" }, "digest": { "line_hashes": [ "8117683699263027943438562268108237960", "159846368970890992501970301852003687410", "151568209576910701785016521101112350064", "63733756707479690652796638646275626111", "149722765958687529556422848289673028715", "150449434108351277660639663020626306984" ], "threshold": 0.9 }, "source": "https://github.com/phusion/passenger/commit/bb15591646687064ab2d578d5f9660b2a4168017", "signature_version": "v1", "deprecated": false }, { "id": "CVE-2025-26803-8bc64ebc", "signature_type": "Line", "target": { "file": "src/cxx_supportlib/ServerKit/HttpHeaderParser.h" }, "digest": { "line_hashes": [ "56306797910680458680513858847827566425", "107987978948905297822111055413497539884", "139751539488044244338213004978195162686", "48406364839894459055057458748751939766", "126129000892226978084914690524372797523", "291180202743772447277637424915610914276", "188977284653619227003663099453266334728", "130226068079589049085485764552249605384", "173973034677336729445737777403959927395", "262345837927918660859994386825782137679", "34180744244984834765419796061187695365", "319341072846164040301563324607905281321", "192951056543837832973618483999217414949", "259270933250713078401013444110925756315", "200454570958787743735776054332748498890", "101634969142578602213220223203494708347", "135047675219560846260880392497371353209", "302140513471140508617751085565625995197", "229042749498650772366122278122817005952", "149958639359188816005422261764229797479", "93675738036891230708706215170110964907", "147653724487706571674821743751749355220", "277326315136992160470016637510034757982", "250013227632682964545653287013360620114", "209169945146585259453642589882980512688", "224598788670929604982815039037008832878", "132260228758529287773806128944413748598", "92489170402380554761043763242323091713", "29438503903987926917851014139066559631", "189555827958407754824182830434750045608", "286687158545363123408087468678845787127", "35525333612266263991505393357557525303", "216231157110694763566174999412918954479", "317783432281886519211468413743749793509", "91409750413363469243859590167290029056", "86336466407261702389505609711589246394", "12020107809228527951654593784585053154", "47632823417158353134236255785810907391", "250277989612060786273419153537044138066", "3891050002115813812055819233733799854", "250448867392114710200114583775140680642", "120590564049646061181460079441536230189", "65209118318471498303135116160411488566", "143137635858050786177560531215199641368", "218369963036741708014981733108104921139", "104847101121720313418745322981688040822", "135285745199208492867235114986874162369", "256331294652706969483285050770173010955", "200922393326521130385609927746818524290" ], "threshold": 0.9 }, "source": "https://github.com/phusion/passenger/commit/bb15591646687064ab2d578d5f9660b2a4168017", "signature_version": "v1", "deprecated": false } ] }