CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

CVE-2025-26803: The http parser in Phusion Passenger 6.0.21 through 6.0.25 before 6.0.26 allows a denial of service during parsing of a request with an invalid...

Description

The http parser in Phusion Passenger 6.0.21 through 6.0.25 before 6.0.26 allows a denial of service during parsing of a request with an invalid HTTP method.

Classification

CVE ID: CVE-2025-26803

Affected Products

Vendor: n/a

Product: n/a

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.18% (probability of being exploited)

EPSS Percentile: 35.82% (scored less or equal to compared to others)

EPSS Date: 2025-03-25 (when was this score calculated)

References

https://nvd.nist.gov/vuln/detail/CVE-2025-26803
https://www.phusionpassenger.com/support
https://github.com/phusion/passenger/compare/release-6.0.25...release-6.0.26
https://github.com/phusion/passenger/releases/tag/release-6.0.26
https://blog.phusion.nl/2025/02/19/passenger-6-0-26/
https://github.com/phusion/passenger/commit/bb15591646687064ab2d578d5f9660b2a4168017

Timeline

2025-02-24 16:40:12 UTC
CVE

The http parser in Phusion Passenger 6.0.21 through 6.0.25 before 6.0.26 allows a denial of service during parsing of a request with an invalid...
2025-02-24 21:15:17 UTC
Github Advisory Database (RubyGems)

[passenger] Phusion Passenger denial of service