CVE-2025-26803

Published: Feb 24, 2025Modified: Feb 28, 2025

7.5

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Exploitability: 3.9 / Impact: 3.6

Source: NVD

Description

The http parser in Phusion Passenger 6.0.21 through 6.0.25 before 6.0.26 allows a denial of service during parsing of a request with an invalid HTTP method.

Affected (1)

Products: Phusion: Passenger

Phusion

1 product

Passenger

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Phusion Passenger	From 6.0.21 to 6.0.26

Related CWEs

CWE-908

Use of Uninitialized Resource

The product uses or accesses a resource that has not been initialized.

References (5)

https://blog.phusion.nl/2025/02/19/passenger-6-0-26/

Source: cve@mitre.org

Vendor Advisory

https://github.com/phusion/passenger/commit/bb15591646687064ab2d578d5f9660b2a4168017

Source: cve@mitre.org

Patch

https://github.com/phusion/passenger/compare/release-6.0.25...release-6.0.26

Source: cve@mitre.org

Patch

https://github.com/phusion/passenger/releases/tag/release-6.0.26

Source: cve@mitre.org

Patch

https://www.phusionpassenger.com/support

Source: cve@mitre.org

Product

Timeline

No history available yet.