CVE-2025-26803
unknown
CVSS v3
—
CVSS v2
—
VIR risk
—
Description
The http parser in Phusion Passenger 6.0.21 through 6.0.25 before 6.0.26 allows a denial of service during parsing of a request with an invalid HTTP method.
Predictions
Exploit likelihood
30%
Patch ETA
—
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Vendor advisory: debian — https://security-tracker.debian.org/tracker/CVE-2025-26803
Vendor advisory: suse — https://www.suse.com/security/cve/CVE-2025-26803.html
OS impact
| OS | Version | Status | Fixed in |
|---|---|---|---|
| sles | affected | | |
| debian | bookworm | fixed | 0 |
| debian | bullseye | fixed | 0 |
| debian | forky | fixed | 6.0.26+ds-1 |
| debian | sid | fixed | 6.0.26+ds-1 |
| debian | trixie | fixed | 6.0.26+ds-1 |
References
- https://github.com/advisories/GHSA-2cj2-qqxj-5m3r
- https://www.suse.com/security/cve/CVE-2025-26803.html
- https://nvd.nist.gov/vuln/detail/CVE-2025-26803
- https://github.com/phusion/passenger/commit/bb15591646687064ab2d578d5f9660b2a4168017
- https://blog.phusion.nl/2025/02/19/passenger-6-0-26
- https://github.com/phusion/passenger
- https://github.com/phusion/passenger/compare/release-6.0.25...release-6.0.26
- https://github.com/phusion/passenger/releases/tag/release-6.0.26
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/passenger/CVE-2025-26803.yml
- https://www.phusionpassenger.com/support
- https://security-tracker.debian.org/tracker/CVE-2025-26803
Verify integrity in audit chain (admin only). AS-IS.