What is GHSA-48hw-cv6f-mcpj?

GHSA-48hw-cv6f-mcpj is a security advisory published by GitHub Security Advisories with Medium severity. BusyBox wget thru 1.3.7 accepted raw CR (0x0D)/LF (0x0A) and other C0 control bytes in the HTTP...

Which CVE IDs does GHSA-48hw-cv6f-mcpj cover?

GHSA-48hw-cv6f-mcpj covers the following CVE IDs: CVE-2025-60876. Each CVE has its own detail page on EchelonGraph Pulse with the synthesized EG score.

What is the CVSS v3 score of GHSA-48hw-cv6f-mcpj?

GHSA-48hw-cv6f-mcpj has a CVSS v3 base score of 6.5, published by GitHub Security Advisories.

GHSA-48hw-cv6f-mcpjMediumCVSS 6.5

BusyBox wget thru 1.3.7 accepted raw CR (0x0D)/LF (0x0A) and other C0 control bytes in the HTTP...

Vendor

GitHub Security Advisories

Published

November 10, 2025

Last Modified

June 2, 2026

🔗 CVE IDs covered (1)

CVE-2025-60876 →

📋 Description

BusyBox wget thru 1.3.7 accepted raw CR (0x0D)/LF (0x0A) and other C0 control bytes in the HTTP request-target (path/query), allowing the request line to be split and attacker-controlled headers to be injected. To preserve the HTTP/1.1 request-line shape METHOD SP request-target SP HTTP/1.1, a raw space (0x20) in the request-target must also be rejected (clients should use %20).

🔗 References (6)

https://nvd.nist.gov/vuln/detail/CVE-2025-60876
https://gist.github.com/subyumatest/41554af6a72aedaacaec026adc311092
https://lists.busybox.net/pipermail/busybox/attachments/20250823/ccdc96ef/attachment-0001.htm
https://lists.busybox.net/pipermail/busybox/attachments/20250828/e7f90492/attachment.htm
https://cert-portal.siemens.com/productcert/html/ssa-253495.html
https://github.com/advisories/GHSA-48hw-cv6f-mcpj