CVE-2025-26803
Published: 24 February 2025
Description
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Security Summary
CVE-2025-26803 is a denial-of-service vulnerability in the HTTP parser of Phusion Passenger versions 6.0.21 through 6.0.25, prior to 6.0.26. The flaw, linked to CWE-908 (Use of Uninitialized Resource), allows disruption during the parsing of a specially crafted HTTP request containing an invalid HTTP method. It has a CVSS v3.1 base score of 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L), indicating medium severity with low availability impact but no confidentiality or integrity effects.
A remote, unauthenticated attacker can exploit this vulnerability over the network with low complexity and no user interaction required. By sending a malicious HTTP request with an invalid method to a vulnerable Phusion Passenger instance, the attacker triggers a denial-of-service condition, potentially causing the parser to fail and disrupting service availability for legitimate users.
Phusion Passenger advisories recommend upgrading to version 6.0.26, which addresses the issue via a specific commit (bb15591646687064ab2d578d5f9660b2a4168017). Release notes and the official blog post detail the fix, with GitHub comparisons confirming changes between 6.0.25 and 6.0.26; additional support resources are available on the Phusion Passenger site.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Vulnerability in HTTP parser allows remote exploitation of public-facing app to crash/disrupt service via malformed request, directly enabling application/system exploitation for DoS.