{"document":{"acknowledgments":[{"urls":["https://kb.cert.org/vuls/id/461364#acknowledgements"]}],"category":"CERT/CC Vulnerability Note","csaf_version":"2.0","notes":[{"category":"summary","text":"### Overview\r\nHiawatha is an open-source webserver for Unix that has packages for Windows, macOS, and a variety of Linux distributions. Three vulnerabilities were identified for this lightweight web-server: improper handling of HTTP headers; an authentication-timing attack in the Tomahawk component; and a memory-handling problem leading to data corruption. \r\n\r\n### Description\r\n**CVE-2025-57783** A request smuggling vulnerability caused by improper header parsing has been identified in the `fetch_request` function of Hiawatha web server versions 8.5 through 11.7. This vulnerability allows an unauthenticated attacker to smuggle requests and access restricted resources managed by the server.\r\n\r\n**CVE-2025-57784** An authentication timing attack has been identified in the Tomahawk component of Hiawatha webserver versions 8.5 through 11.7. This occurs due to the use of `strcmp` in the `handle_admin` function. The vulnerability allows a local attacker to access the management client.\r\n\r\n**CVE-2025-57785** A double free in the XSLT show_index function has been identified in Hiawatha web server versions 10.8.2 through 11.7. This vulnerability allows an unauthenticated attacker to corrupt data, which may lead to arbitrary code execution.\r\n\r\n### Impact\r\nExploiting the request smuggling vulnerability may result in attackers bypassing authentication, hijacking user sessions, or injecting malicious payloads into requests.\r\n\r\nExploiting the timing of the `strcmp` function in the `handle_admin` function may result in password attempts to measure the time for each attempt, then assume the password is known by the longest attempt which would match more characters. This vulnerability may be time consuming to exploit.\r\n\r\nExploiting the double free error is when a program tries to free memory in the same location more than once. In a web server, the XSLT `show_index` function may originate from an error in memory management during the execution of the XSLT. This may result in corrupt data thus leading to the execution of arbitrary code.\r\n\r\n### Solution\r\nThe Hiawatha developer acknowledges the vulnerabilities and has included mitigations and remediations to all three vulnerabilities in a forthcoming release. Install version 11.8 or higher. \r\n\r\n### Acknowledgements\r\nThanks to the reporter Ali Norouzi of Keysight. This document was written by Laurie Tyzenhaus.","title":"Summary"},{"category":"legal_disclaimer","text":"THIS DOCUMENT IS PROVIDED ON AN 'AS IS' BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. ","title":"Legal Disclaimer"},{"category":"other","text":"CERT/CC Vulnerability Note is a limited advisory. It primarily identifies vendors impacted by the advisory and not specific products. We only support \"known_affected\" and \"known_not_affected\" status. Please consult the vendor's statements and advisory URL if provided by the vendor for more details ","title":"Limitations of Advisory"}],"publisher":{"category":"coordinator","contact_details":"Email: cert@cert.org, Phone: +1412 268 5800","issuing_authority":"CERT/CC under DHS/CISA https://www.cisa.gov/cybersecurity also see https://kb.cert.org/ ","name":"CERT/CC","namespace":"https://kb.cert.org/"},"references":[{"url":"https://certcc.github.io/certcc_disclosure_policy","summary":"CERT/CC vulnerability disclosure policy"},{"summary":"CERT/CC document released","category":"self","url":"https://kb.cert.org/vuls/id/461364"},{"url":"https://gitlab.com/hsleisink/hiawatha","summary":"https://gitlab.com/hsleisink/hiawatha"}],"title":"Hiawatha open-source web server has multiple vulnerabilities","tracking":{"current_release_date":"2026-05-04T13:56:30+00:00","generator":{"engine":{"name":"VINCE","version":"3.0.40"}},"id":"VU#461364","initial_release_date":"2025-09-09 02:57:46.948216+00:00","revision_history":[{"date":"2026-05-04T13:56:30+00:00","number":"1.20260504135630.3","summary":"Released on 2026-05-04T13:56:30+00:00"}],"status":"final","version":"1.20260504135630.3"}},"vulnerabilities":[{"title":"Improper header parsing may lead to request smuggling has been identified in Hiawatha webserver version 11.","notes":[{"category":"summary","text":"Improper header parsing may lead to request smuggling has been identified in Hiawatha webserver version 11.7 which allows an unauthenticated attacker to access restricted resources managed by Hiawatha webserver."}],"cve":"CVE-2025-57783","ids":[{"system_name":"CERT/CC V Identifier ","text":"VU#461364"}]},{"title":"Tomahawk auth timing attack due to usage of `strcmp` has been identified in Hiawatha webserver version 11.","notes":[{"category":"summary","text":"Tomahawk auth timing attack due to usage of `strcmp` has been identified in Hiawatha webserver version 11.7 which allows a local attacker to access the management client."}],"cve":"CVE-2025-57784","ids":[{"system_name":"CERT/CC V Identifier ","text":"VU#461364"}]},{"title":"A Double Free in XSLT `show_index` has been identified in Hiawatha webserver version 11.","notes":[{"category":"summary","text":"A Double Free in XSLT `show_index` has been identified in Hiawatha webserver version 11.7 which allows an unauthenticated attacker to corrupt data which may lead to arbitrary code execution."}],"cve":"CVE-2025-57785","ids":[{"system_name":"CERT/CC V Identifier ","text":"VU#461364"}]}],"product_tree":{"branches":[]}}