{"id":"CVE-2025-26803","details":"The http parser in Phusion Passenger 6.0.21 through 6.0.25 before 6.0.26 allows a denial of service during parsing of a request with an invalid HTTP method.","aliases":["BIT-passenger-2025-26803","BIT-passenger-apache-module-2025-26803","BIT-passenger-nginx-module-2025-26803","GHSA-2cj2-qqxj-5m3r"],"modified":"2026-04-11T00:58:53.578306Z","published":"2025-02-24T16:15:15.020Z","references":[{"type":"WEB","url":"https://www.phusionpassenger.com/support"},{"type":"ADVISORY","url":"https://blog.phusion.nl/2025/02/19/passenger-6-0-26/"},{"type":"FIX","url":"https://github.com/phusion/passenger/releases/tag/release-6.0.26"},{"type":"FIX","url":"https://github.com/phusion/passenger/commit/bb15591646687064ab2d578d5f9660b2a4168017"},{"type":"FIX","url":"https://github.com/phusion/passenger/compare/release-6.0.25...release-6.0.26"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/phusion/passenger","events":[{"introduced":"a92fb74f0c6a1360b34e5624c7c801dbf8e5d77a"},{"fixed":"bb15591646687064ab2d578d5f9660b2a4168017"}],"database_specific":{"versions":[{"introduced":"6.0.21"},{"fixed":"6.0.26"}]}}],"versions":["release-6.0.21","release-6.0.22","release-6.0.23","release-6.0.24","release-6.0.25"],"database_specific":{"vanir_signatures_modified":"2026-04-11T00:58:53Z","source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-26803.json","vanir_signatures":[{"id":"CVE-2025-26803-5dbd898d","deprecated":false,"signature_version":"v1","digest":{"line_hashes":["8117683699263027943438562268108237960","159846368970890992501970301852003687410","151568209576910701785016521101112350064","63733756707479690652796638646275626111","149722765958687529556422848289673028715","150449434108351277660639663020626306984"],"threshold":0.9},"signature_type":"Line","target":{"file":"test/cxx/ServerKit/HttpServerTest.cpp"},"source":"https://github.com/phusion/passenger/commit/bb15591646687064ab2d578d5f9660b2a4168017"},{"id":"CVE-2025-26803-8bc64ebc","deprecated":false,"signature_version":"v1","digest":{"line_hashes":["56306797910680458680513858847827566425","107987978948905297822111055413497539884","139751539488044244338213004978195162686","48406364839894459055057458748751939766","126129000892226978084914690524372797523","291180202743772447277637424915610914276","188977284653619227003663099453266334728","130226068079589049085485764552249605384","173973034677336729445737777403959927395","262345837927918660859994386825782137679","34180744244984834765419796061187695365","319341072846164040301563324607905281321","192951056543837832973618483999217414949","259270933250713078401013444110925756315","200454570958787743735776054332748498890","101634969142578602213220223203494708347","135047675219560846260880392497371353209","302140513471140508617751085565625995197","229042749498650772366122278122817005952","149958639359188816005422261764229797479","93675738036891230708706215170110964907","147653724487706571674821743751749355220","277326315136992160470016637510034757982","250013227632682964545653287013360620114","209169945146585259453642589882980512688","224598788670929604982815039037008832878","132260228758529287773806128944413748598","92489170402380554761043763242323091713","29438503903987926917851014139066559631","189555827958407754824182830434750045608","286687158545363123408087468678845787127","35525333612266263991505393357557525303","216231157110694763566174999412918954479","317783432281886519211468413743749793509","91409750413363469243859590167290029056","86336466407261702389505609711589246394","12020107809228527951654593784585053154","47632823417158353134236255785810907391","250277989612060786273419153537044138066","3891050002115813812055819233733799854","250448867392114710200114583775140680642","120590564049646061181460079441536230189","65209118318471498303135116160411488566","143137635858050786177560531215199641368","218369963036741708014981733108104921139","104847101121720313418745322981688040822","135285745199208492867235114986874162369","256331294652706969483285050770173010955","200922393326521130385609927746818524290"],"threshold":0.9},"signature_type":"Line","target":{"file":"src/cxx_supportlib/ServerKit/HttpHeaderParser.h"},"source":"https://github.com/phusion/passenger/commit/bb15591646687064ab2d578d5f9660b2a4168017"}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}]}