Volerion logoVolerion
Volerion logoVolerion

lighttpd Trailer Field Merging Vulnerability Leading to HTTP Header Smuggling

Vulnerability

A vulnerability in lighttpd version 1.4.80 allows for HTTP Header Smuggling attacks by incorrectly merging trailer fields into headers after parsing the HTTP request. This flaw can be exploited to bypass access control rules, inject unsafe input into backend logic that relies on request headers, and execute HTTP Request Smuggling attacks under certain conditions.

Impact

Exploitation of this vulnerability could lead to HTTP Header Smuggling, allowing attackers to manipulate how requests are processed by the server or backend services.

Reproduction

The vulnerability can be reproduced by sending an HTTP request with trailer fields that are disallowed, such as 'Connection' or 'Forwarded'. The server's response can be checked to confirm whether the trailer fields were incorrectly merged into the headers, which would indicate successful exploitation.

Remediation

Users can upgrade to lighttpd version 1.4.81 or later, where this vulnerability has been fixed.

Added: Nov 3, 2025, 8:18 PM
Updated: Nov 3, 2025, 8:18 PM

Vulnerability Rating

Custom Algorithm
spread
7.6
impact
5.0
exploitability
9.3
remediation
7.7
relevance
0.9
threat
4.8
urgency
2.9
incentive
10.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.