| Name | CVE-2025-55763 |
| Description | Buffer Overflow in the URI parser of CivetWeb 1.14 through 1.16 (latest) allows a remote attacker to achieve remote code execution via a crafted HTTP request. This vulnerability is triggered during request processing and may allow an attacker to corrupt heap memory, potentially leading to denial of service or arbitrary code execution. |
| Source | CVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
| Debian Bugs | 1112507 |
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|---|---|---|
| civetweb (PTS) | bullseye | 1.13+dfsg-5 | vulnerable |
| bookworm | 1.15+dfsg-4 | vulnerable | |
| trixie | 1.16+dfsg-2 | vulnerable | |
| forky, sid | 1.16+dfsg-3 | fixed |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|---|---|---|---|---|---|
| civetweb | source | (unstable) | 1.16+dfsg-3 | 1112507 |
[trixie] - civetweb <no-dsa> (Minor issue)
[bookworm] - civetweb <no-dsa> (Minor issue)
[bullseye] - civetweb <postponed> (Minor issue)
https://github.com/krispybyte/CVE-2025-55763
https://github.com/civetweb/civetweb/pull/1347
https://github.com/civetweb/civetweb/issues/1348
Fixed by: https://github.com/civetweb/civetweb/commit/76e222bcb77ba8452e5da4e82ae6cecd499c25e0
Fixed by: https://github.com/civetweb/civetweb/commit/d5321963b1d0bc953101de91f8588bf83db73bf5