Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2025-60876

CVE-2025-60876: BusyBox wget XSS Vulnerability

CVE-2025-60876 is an XSS vulnerability in BusyBox wget through version 1.3.7 that allows HTTP request splitting via control characters. This article covers technical details, affected versions, and mitigations.

Published:

CVE-2025-60876 Overview

CVE-2025-60876 is an HTTP request header injection vulnerability in BusyBox wget versions through 1.3.7. The client accepts raw carriage return (0x0D), line feed (0x0A), and other C0 control bytes inside the HTTP request-target. An attacker who controls a URL processed by wget can split the request line and inject attacker-controlled HTTP headers. The flaw also requires rejection of raw space (0x20) characters to preserve the METHOD SP request-target SP HTTP/1.1 request-line structure. BusyBox ships on most embedded Linux systems, routers, and container base images, so the affected footprint is broad.

Critical Impact

Attackers who influence a URL passed to BusyBox wget can inject arbitrary HTTP headers, smuggle requests, or redirect traffic through unintended virtual hosts on shared infrastructure.

Affected Products

  • BusyBox wget applet through version 1.3.7
  • Embedded Linux distributions bundling vulnerable BusyBox builds
  • Container images and firmware that invoke busybox wget with externally influenced URLs

Discovery Timeline

  • 2025-11-10 - CVE-2025-60876 published to NVD
  • 2025-12-31 - Last updated in NVD database

Technical Details for CVE-2025-60876

Vulnerability Analysis

The vulnerability is an HTTP Response Splitting / request header injection issue tracked under [CWE-284] (Improper Access Control). BusyBox wget constructs its outbound HTTP request by inserting the user-supplied path and query string directly into the request line. The client does not validate that the request-target is free of C0 control characters before writing it onto the wire.

When a URL contains raw \r\n sequences, the parsed bytes are emitted verbatim. The remote HTTP server then interprets the data after the injected newlines as additional request headers or even a second request. The same parsing weakness applies to raw spaces, which break the three-token shape of the HTTP/1.1 request line.

Root Cause

The root cause is missing input sanitization on the request-target prior to request serialization. RFC 9110 requires clients to percent-encode reserved and control characters in the path and query components. BusyBox wget skips this normalization step and trusts the caller-supplied URL string. Any byte in the C0 range, including 0x0D, 0x0A, 0x00, and 0x20, reaches the socket unchanged.

Attack Vector

Exploitation requires the attacker to control a URL that is fetched by a vulnerable wget invocation. Common scenarios include package install scripts, firmware update routines, CI/CD pipelines, and IoT provisioning logic that build URLs from configuration files or remote inputs. The attacker crafts a URL containing encoded CRLF sequences followed by injected headers such as Host: overrides or cache-poisoning directives. The injected headers can redirect the request to an unintended backend on shared hosting, poison upstream caches, or smuggle a follow-on request through HTTP/1.1 keep-alive connections. A public proof-of-concept is available in the GitHub Gist PoC Script.

No verified sanitized exploitation code is available. Refer to the BusyBox mailing list discussion for the technical writeup shared with maintainers.

Detection Methods for CVE-2025-60876

Indicators of Compromise

  • Outbound HTTP requests originating from BusyBox wget that contain unexpected Host:, X-Forwarded-For:, or duplicate header lines
  • Web server access logs showing multiple request lines arriving within a single TCP segment from internal hosts
  • Firmware or container build logs invoking busybox wget with URLs sourced from untrusted configuration data

Detection Strategies

  • Inspect proxy and egress logs for URLs containing %0d, %0a, raw CR/LF, or raw space characters in the path or query string
  • Run busybox --list-applets and busybox | head -1 across the fleet to inventory affected versions at or below 1.3.7
  • Scan container images and firmware artifacts for BusyBox binaries and correlate with the vulnerable version range

Monitoring Recommendations

  • Forward egress HTTP proxy logs to a centralized analytics pipeline and alert on CRLF byte sequences in request-targets
  • Monitor for new outbound HTTP destinations from embedded devices that historically contact only known update endpoints
  • Track BusyBox package versions through software bill of materials (SBOM) tooling to flag drift below patched releases

How to Mitigate CVE-2025-60876

Immediate Actions Required

  • Identify all systems shipping BusyBox wget at or below version 1.3.7 using package inventory or SBOM data
  • Replace untrusted URL inputs to busybox wget with validated, percent-encoded values produced by a hardened wrapper
  • Route outbound HTTP from embedded systems through an egress proxy that strips or rejects control bytes in request-targets

Patch Information

No fixed BusyBox release is referenced in the NVD entry at the time of publication. Track the BusyBox mailing list thread for upstream patches and rebuild affected firmware or container images once a fixed version is released. Distribution maintainers should backport the fix into long-term support branches.

Workarounds

  • Replace busybox wget with a hardened HTTP client such as curl for any code path that fetches attacker-influenceable URLs
  • Pre-validate URLs in calling scripts by rejecting any input containing bytes in the C0 range or raw spaces before invocation
  • Enforce strict allowlists of destination hosts at the network layer to limit the impact of header injection or request smuggling

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne