CVE-2025-26803 – A vulnerability in Phusion Passenger's HTTP par... (How to Fix)

📋 TL;DR

A vulnerability in Phusion Passenger's HTTP parser allows denial of service attacks when processing requests with invalid HTTP methods. This affects web servers running Passenger 6.0.21 through 6.0.25. Attackers can crash the Passenger process by sending specially crafted HTTP requests.

💻 Affected Systems

Products:

Phusion Passenger

Versions: 6.0.21 through 6.0.25

Operating Systems: All platforms running Passenger

Default Config Vulnerable: ⚠️ Yes

Notes: All Passenger deployments using affected versions are vulnerable regardless of configuration.

📦 What is this software?

Passenger by Phusion

View all CVEs affecting Passenger →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete service unavailability for all applications hosted by Passenger, requiring manual restart of the Passenger process or web server.

🟠

Likely Case

Temporary service disruption affecting specific Passenger instances until automatic or manual recovery occurs.

🟢

If Mitigated

Minimal impact with proper monitoring and automated recovery mechanisms in place.

🌐 Internet-Facing: HIGH - Public web servers are directly exposed to crafted HTTP requests from any internet source.

🏢 Internal Only: MEDIUM - Internal applications could be affected by malicious internal actors or compromised internal systems.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires sending HTTP requests with invalid methods, which is trivial to implement.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 6.0.26

Vendor Advisory: https://blog.phusion.nl/2025/02/19/passenger-6-0-26/

Restart Required: Yes

Instructions:

1. Update Passenger gem: gem update passenger
2. Restart Passenger: passenger-config restart-app
3. Verify version: passenger --version

🔧 Temporary Workarounds

HTTP Method Filtering

all

Configure web server or application firewall to reject requests with invalid HTTP methods before they reach Passenger.

🧯 If You Can't Patch

Implement rate limiting and request filtering at the edge (CDN, WAF, load balancer)
Set up automated monitoring and alerting for Passenger process crashes with auto-restart capabilities

🔍 How to Verify

Check if Vulnerable:

Check Passenger version: passenger --version | grep -E '6\.0\.(2[1-5])'

Check Version:

passenger --version

Verify Fix Applied:

Verify version is 6.0.26 or higher: passenger --version | grep -E '6\.0\.(2[6-9]|[3-9][0-9])'

📡 Detection & Monitoring

Log Indicators:

Passenger process crashes
HTTP 400/500 errors for requests with unusual methods
Application restarts in Passenger logs

Network Indicators:

HTTP requests with invalid/non-standard methods (e.g., 'INVALID', 'TEST', malformed)

SIEM Query:

source="passenger.log" AND ("crash" OR "restart" OR "abnormal exit")

📊 Metadata

CVE ID: CVE-2025-26803

CVSS v3 Score: 5.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

CWE: CWE-908

EPSS Score: 0.61% exploit probability (69.1th percentile)

Published: February 24, 2025

Last Updated: February 28, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-26803, you might also want to check these: