{"vuid":"VU#461364","idnumber":"461364","name":"Hiawatha open-source web server has multiple vulnerabilities","keywords":null,"overview":"### Overview\r\nHiawatha is an open-source webserver for Unix that has packages for Windows, macOS, and a variety of Linux distributions. Three vulnerabilities were identified for this lightweight web-server: improper handling of HTTP headers; an authentication-timing attack in the Tomahawk component; and a memory-handling problem leading to data corruption. \r\n\r\n### Description\r\n**CVE-2025-57783** A request smuggling vulnerability caused by improper header parsing has been identified in the `fetch_request` function of Hiawatha web server versions 8.5 through 11.7. This vulnerability allows an unauthenticated attacker to smuggle requests and access restricted resources managed by the server.\r\n\r\n**CVE-2025-57784** An authentication timing attack has been identified in the Tomahawk component of Hiawatha webserver versions 8.5 through 11.7. This occurs due to the use of `strcmp` in the `handle_admin` function. The vulnerability allows a local attacker to access the management client.\r\n\r\n**CVE-2025-57785** A double free in the XSLT show_index function has been identified in Hiawatha web server versions 10.8.2 through 11.7. This vulnerability allows an unauthenticated attacker to corrupt data, which may lead to arbitrary code execution.\r\n\r\n### Impact\r\nExploiting the request smuggling vulnerability may result in attackers bypassing authentication, hijacking user sessions, or injecting malicious payloads into requests.\r\n\r\nExploiting the timing of the `strcmp` function in the `handle_admin` function may result in password attempts to measure the time for each attempt, then assume the password is known by the longest attempt which would match more characters. This vulnerability may be time consuming to exploit.\r\n\r\nExploiting the double free error is when a program tries to free memory in the same location more than once. In a web server, the XSLT `show_index` function may originate from an error in memory management during the execution of the XSLT. This may result in corrupt data thus leading to the execution of arbitrary code.\r\n\r\n### Solution\r\nThe Hiawatha developer acknowledges the vulnerabilities and has included mitigations and remediations to all three vulnerabilities in a forthcoming release. Install version 11.8 or higher. \r\n\r\n### Acknowledgements\r\nThanks to the reporter Ali Norouzi of Keysight. This document was written by Laurie Tyzenhaus.","clean_desc":null,"impact":null,"resolution":null,"workarounds":null,"sysaffected":null,"thanks":null,"author":null,"public":["https://gitlab.com/hsleisink/hiawatha"],"cveids":["CVE-2025-57783","CVE-2025-57785","CVE-2025-57784"],"certadvisory":null,"uscerttechnicalalert":null,"datecreated":"2025-09-09T02:57:47.137529Z","publicdate":"2025-09-09T02:57:46.948216Z","datefirstpublished":"2025-09-09T02:57:47.158937Z","dateupdated":"2026-05-04T13:56:30.106667Z","revision":3,"vrda_d1_directreport":null,"vrda_d1_population":null,"vrda_d1_impact":null,"cam_widelyknown":null,"cam_exploitation":null,"cam_internetinfrastructure":null,"cam_population":null,"cam_impact":null,"cam_easeofexploitation":null,"cam_attackeraccessrequired":null,"cam_scorecurrent":null,"cam_scorecurrentwidelyknown":null,"cam_scorecurrentwidelyknownexploited":null,"ipprotocol":null,"cvss_accessvector":null,"cvss_accesscomplexity":null,"cvss_authentication":null,"cvss_confidentialityimpact":null,"cvss_integrityimpact":null,"cvss_availabilityimpact":null,"cvss_exploitablity":null,"cvss_remediationlevel":null,"cvss_reportconfidence":null,"cvss_collateraldamagepotential":null,"cvss_targetdistribution":null,"cvss_securityrequirementscr":null,"cvss_securityrequirementsir":null,"cvss_securityrequirementsar":null,"cvss_basescore":null,"cvss_basevector":null,"cvss_temporalscore":null,"cvss_environmentalscore":null,"cvss_environmentalvector":null,"metric":null,"vulnote":136}