[PATCH 0/1] Fix for CVE-2025-60876
Radoslav Kolev
radoslav.kolev at suse.com
Wed Nov 12 17:50:53 UTC 2025
Recently CVE-2025-60876 was assigned to a request header injection
vulnerability in busybox wget. It has been reported here before
(https://lists.busybox.net/pipermail/busybox/2025-August/091704.html)
and even a fix proposed (https://lists.busybox.net/pipermail/busybox/2025-August/091710.html)
among other changes. The following patch is a very simple fix of just not
allowing any control characters or spaces in the URL.
Radoslav Kolev (1):
wget: don't allow control characters or spaces in the URL
networking/ping.c | 352 ++++++++++++----------------------------------
networking/wget.c | 9 ++
2 files changed, 102 insertions(+), 259 deletions(-)
--
2.51.1
More information about the busybox
mailing list