CVE-2025-26803
- Source
- https://cve.org/CVERecord?id=CVE-2025-26803
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-26803.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2025-26803
- Aliases
- Downstream
- Published
- 2025-02-24T16:15:15.020Z
- Modified
- 2025-11-16T15:23:49.671054Z
- Severity
-
- 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
- Summary
- [none]
- Details
-
The http parser in Phusion Passenger 6.0.21 through 6.0.25 before 6.0.26 allows a denial of service during parsing of a request with an invalid HTTP method.
- References
-
- https://www.phusionpassenger.com/support
- https://blog.phusion.nl/2025/02/19/passenger-6-0-26/
- https://github.com/phusion/passenger/commit/bb15591646687064ab2d578d5f9660b2a4168017
- https://github.com/phusion/passenger/compare/release-6.0.25...release-6.0.26
- https://github.com/phusion/passenger/releases/tag/release-6.0.26
Affected packages
Git / github.com/phusion/passenger
Affected ranges
- Type
- GIT
- Repo
- https://github.com/phusion/passenger
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
Affected versions
release-1.*
release-1.0.0
release-1.0.1
release-1.0.2
release-1.0.3
release-1.0.4
release-1.0.5
release-1.9.0
release-1.9.1
release-2.*
release-2.0.1
release-2.0.2
release-2.1.1
release-2.1.2
release-2.1.3
release-2.2.0
release-2.2.1
release-2.2.10
release-2.2.11
release-2.2.12
release-2.2.13
release-2.2.14
release-2.2.15
release-2.2.2
release-2.2.3
release-2.2.4
release-2.2.5
release-2.2.6
release-2.2.7
release-2.2.8
release-2.2.9
release-3.*
release-3.0.0
release-3.0.0.pre1
release-3.0.0.pre2
release-3.0.0.pre3
release-3.0.0.rc1
release-3.0.1
release-3.0.10
release-3.0.11
release-3.0.12
release-3.0.13
release-3.0.14
release-3.0.15
release-3.0.17
release-3.0.18
release-3.0.2
release-3.0.3
release-3.0.4
release-3.0.5
release-3.0.6
release-3.0.7
release-3.0.8
release-3.0.9
release-3.9.0.beta
release-3.9.1.beta
release-3.9.2.beta
release-3.9.3.rc1
release-3.9.4.rc2
release-3.9.5.rc3
release-4.*
release-4.0.0.rc4
release-4.0.0.rc6
release-4.0.1
release-4.0.10
release-4.0.13
release-4.0.14
release-4.0.16
release-4.0.17
release-4.0.18
release-4.0.19
release-4.0.2
release-4.0.20
release-4.0.21
release-4.0.23
release-4.0.24
release-4.0.25
release-4.0.26
release-4.0.27
release-4.0.28
release-4.0.29
release-4.0.3
release-4.0.30
release-4.0.31
release-4.0.32
release-4.0.33
release-4.0.34
release-4.0.35
release-4.0.36
release-4.0.37
release-4.0.38
release-4.0.39
release-4.0.4
release-4.0.40
release-4.0.41
release-4.0.42
release-4.0.43
release-4.0.44
release-4.0.45
release-4.0.46
release-4.0.48
release-4.0.49
release-4.0.5
release-4.0.50
release-4.0.51
release-4.0.52
release-4.0.53
release-4.0.55
release-4.0.56
release-4.0.57
release-4.0.58
release-4.0.59
release-4.0.6
release-4.0.7
release-4.0.8
release-5.*
release-5.0.0.beta1
release-5.0.0.beta2
release-5.0.0.beta3
release-5.0.0.rc1
release-5.0.0.rc2
release-5.0.1
release-5.0.10
release-5.0.11
release-5.0.13
release-5.0.14
release-5.0.15
release-5.0.16
release-5.0.17
release-5.0.18
release-5.0.19
release-5.0.2
release-5.0.20
release-5.0.21
release-5.0.22
release-5.0.23
release-5.0.24
release-5.0.25
release-5.0.26
release-5.0.27
release-5.0.28
release-5.0.29
release-5.0.3
release-5.0.30
release-5.0.4
release-5.0.5
release-5.0.6
release-5.0.7
release-5.0.8
release-5.0.9
release-5.1.0
release-5.1.1
release-5.1.11
release-5.1.12
release-5.1.2
release-5.1.3
release-5.1.4
release-5.1.5
release-5.1.6
release-5.1.7
release-5.1.8
release-5.2.0
release-5.2.1
release-5.2.2
release-5.2.3
release-5.3.0
release-5.3.1
release-5.3.2
release-5.3.3
release-5.3.4
release-5.3.5
release-5.3.6
release-5.3.7
release-6.*
release-6.0.0
release-6.0.1
release-6.0.10
release-6.0.11
release-6.0.12
release-6.0.13
release-6.0.14
release-6.0.15
release-6.0.16
release-6.0.17
release-6.0.18
release-6.0.19
release-6.0.2
release-6.0.20
release-6.0.21
release-6.0.22
release-6.0.23
release-6.0.24
release-6.0.25
release-6.0.3
release-6.0.4
release-6.0.5
release-6.0.6
release-6.0.7
release-6.0.8
release-6.0.9
Database specific
source
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-26803.json"
vanir_signatures
[
{
"id": "CVE-2025-26803-5dbd898d",
"source": "https://github.com/phusion/passenger/commit/bb15591646687064ab2d578d5f9660b2a4168017",
"digest": {
"threshold": 0.9,
"line_hashes": [
"8117683699263027943438562268108237960",
"159846368970890992501970301852003687410",
"151568209576910701785016521101112350064",
"63733756707479690652796638646275626111",
"149722765958687529556422848289673028715",
"150449434108351277660639663020626306984"
]
},
"signature_version": "v1",
"deprecated": false,
"target": {
"file": "test/cxx/ServerKit/HttpServerTest.cpp"
},
"signature_type": "Line"
},
{
"id": "CVE-2025-26803-8bc64ebc",
"source": "https://github.com/phusion/passenger/commit/bb15591646687064ab2d578d5f9660b2a4168017",
"digest": {
"threshold": 0.9,
"line_hashes": [
"56306797910680458680513858847827566425",
"107987978948905297822111055413497539884",
"139751539488044244338213004978195162686",
"48406364839894459055057458748751939766",
"126129000892226978084914690524372797523",
"291180202743772447277637424915610914276",
"188977284653619227003663099453266334728",
"130226068079589049085485764552249605384",
"173973034677336729445737777403959927395",
"262345837927918660859994386825782137679",
"34180744244984834765419796061187695365",
"319341072846164040301563324607905281321",
"192951056543837832973618483999217414949",
"259270933250713078401013444110925756315",
"200454570958787743735776054332748498890",
"101634969142578602213220223203494708347",
"135047675219560846260880392497371353209",
"302140513471140508617751085565625995197",
"229042749498650772366122278122817005952",
"149958639359188816005422261764229797479",
"93675738036891230708706215170110964907",
"147653724487706571674821743751749355220",
"277326315136992160470016637510034757982",
"250013227632682964545653287013360620114",
"209169945146585259453642589882980512688",
"224598788670929604982815039037008832878",
"132260228758529287773806128944413748598",
"92489170402380554761043763242323091713",
"29438503903987926917851014139066559631",
"189555827958407754824182830434750045608",
"286687158545363123408087468678845787127",
"35525333612266263991505393357557525303",
"216231157110694763566174999412918954479",
"317783432281886519211468413743749793509",
"91409750413363469243859590167290029056",
"86336466407261702389505609711589246394",
"12020107809228527951654593784585053154",
"47632823417158353134236255785810907391",
"250277989612060786273419153537044138066",
"3891050002115813812055819233733799854",
"250448867392114710200114583775140680642",
"120590564049646061181460079441536230189",
"65209118318471498303135116160411488566",
"143137635858050786177560531215199641368",
"218369963036741708014981733108104921139",
"104847101121720313418745322981688040822",
"135285745199208492867235114986874162369",
"256331294652706969483285050770173010955",
"200922393326521130385609927746818524290"
]
},
"signature_version": "v1",
"deprecated": false,
"target": {
"file": "src/cxx_supportlib/ServerKit/HttpHeaderParser.h"
},
"signature_type": "Line"
}
]