CVE-2025-60876 – BusyBox wget versions through 1.3.7 improperly ... (How to Fix)

Q: What is the severity of CVE-2025-60876?

CVE-2025-60876 has a CVSS score of 6.5 (MEDIUM). BusyBox wget versions through 1.3.7 improperly accept raw CR/LF and C0 control characters in HTTP request targets, allowing attackers to split request lines and inject malicious headers. This vulnerability affects any system using vulnerable BusyBox wget to fetch URLs from untrusted sources. The issue stems from insufficient input validation in HTTP request parsing.

📋 TL;DR

BusyBox wget versions through 1.3.7 improperly accept raw CR/LF and C0 control characters in HTTP request targets, allowing attackers to split request lines and inject malicious headers. This vulnerability affects any system using vulnerable BusyBox wget to fetch URLs from untrusted sources. The issue stems from insufficient input validation in HTTP request parsing.

💻 Affected Systems

Products:

BusyBox wget

Versions: Through 1.3.7

Operating Systems: Linux, Embedded Linux, Android, Other BusyBox platforms

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects wget usage when fetching URLs; other BusyBox applets are unaffected. Embedded/IoT devices using BusyBox are particularly vulnerable if they fetch external resources.

📦 What is this software?

Busybox by Busybox

View all CVEs affecting Busybox →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full HTTP request smuggling leading to server-side request forgery (SSRF), credential theft via injected headers, or redirection to malicious sites when wget interacts with attacker-controlled URLs.

🟠

Likely Case

HTTP header injection enabling limited request manipulation, potentially causing wget to fetch unintended resources or leak information via injected headers.

🟢

If Mitigated

Minimal impact if wget only accesses trusted URLs with proper input validation and network segmentation.

🌐 Internet-Facing: MEDIUM - Exploitation requires wget to process attacker-controlled URLs, which is common in web scraping or automated download scenarios.

🏢 Internal Only: LOW - Internal systems typically fetch from trusted sources, reducing attack surface unless processing user-supplied URLs.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Proof-of-concept available in mailing list attachments; exploitation requires wget to process a malicious URL, which can be delivered via phishing, malicious websites, or compromised services.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: BusyBox 1.3.8 or later

Vendor Advisory: https://lists.busybox.net/pipermail/busybox/

Restart Required: No

Instructions:

1. Update BusyBox to version 1.3.8 or later. 2. For embedded systems: rebuild firmware with patched BusyBox or apply vendor updates. 3. Verify wget no longer accepts raw CR/LF/space in request targets.

🔧 Temporary Workarounds

Input validation wrapper

linux

Create a wrapper script that validates URLs before passing to wget, rejecting URLs with control characters.

#!/bin/bash
# Validate URL contains no raw CR/LF/space
if echo "$1" | grep -q $'[\r\n\x00-\x1F\x7F]'; then
    echo "Invalid URL"
    exit 1
fi
busybox wget "$1"

Use alternative download tool

linux

Replace wget with curl or another download utility that properly validates HTTP requests.

apt-get install curl
yum install curl
apk add curl

🧯 If You Can't Patch

Restrict wget to only fetch from trusted, whitelisted domains using firewall rules or proxy configurations.
Monitor wget usage for unusual patterns and implement strict input validation in any scripts calling wget.

🔍 How to Verify

Check if Vulnerable:

Test with: echo -e 'GET /test\r\nInjected: header HTTP/1.1\r\nHost: example.com' | nc -l 8080 & busybox wget http://localhost:8080/test -O /dev/null; check if server receives injected header.

Check Version:

busybox | grep wget && busybox wget --version 2>&1 | head -1

Verify Fix Applied:

After update, repeat vulnerable test; wget should reject the request or not pass injected headers.

📡 Detection & Monitoring

Log Indicators:

Unusual wget processes fetching unexpected URLs
HTTP requests with raw CR/LF characters in logs
Failed wget attempts with malformed URLs

Network Indicators:

HTTP requests containing %0D, %0A, or other control characters in paths
Unexpected HTTP headers in wget-initiated requests

SIEM Query:

process.name:"wget" AND (url.path:*\r* OR url.path:*\n* OR url.path:*%0D* OR url.path:*%0A*)

📊 Metadata

CVE ID: CVE-2025-60876

CVSS v3 Score: 6.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

CWE: CWE-284

EPSS Score: 0.05% exploit probability (16.2th percentile)

Published: November 10, 2025

Last Updated: December 31, 2025

🔗 References

https://gist.github.com/subyumatest/41554af6a72aedaacaec026adc311092 Exploit,Third Party Advisory
https://lists.busybox.net/pipermail/busybox/attachments/20250823/ccdc96ef/attachment-0001.htm Product
https://lists.busybox.net/pipermail/busybox/attachments/20250828/e7f90492/attachment.htm Product

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-60876, you might also want to check these: