search menu icon-carat-right cmu-wordmark
Carnegie Mellon University

Software Engineering Institute

CERT Coordination Center

Hiawatha open-source web server has multiple vulnerabilities

Vulnerability Note VU#461364

Original Release Date: 2025-09-09 | Last Revised: 2026-05-04

Overview

Hiawatha is an open-source webserver for Unix that has packages for Windows, macOS, and a variety of Linux distributions. Three vulnerabilities were identified for this lightweight web-server: improper handling of HTTP headers; an authentication-timing attack in the Tomahawk component; and a memory-handling problem leading to data corruption.

Description

CVE-2025-57783 A request smuggling vulnerability caused by improper header parsing has been identified in the fetch_request function of Hiawatha web server versions 8.5 through 11.7. This vulnerability allows an unauthenticated attacker to smuggle requests and access restricted resources managed by the server.

CVE-2025-57784 An authentication timing attack has been identified in the Tomahawk component of Hiawatha webserver versions 8.5 through 11.7. This occurs due to the use of strcmp in the handle_admin function. The vulnerability allows a local attacker to access the management client.

CVE-2025-57785 A double free in the XSLT show_index function has been identified in Hiawatha web server versions 10.8.2 through 11.7. This vulnerability allows an unauthenticated attacker to corrupt data, which may lead to arbitrary code execution.

Impact

Exploiting the request smuggling vulnerability may result in attackers bypassing authentication, hijacking user sessions, or injecting malicious payloads into requests.

Exploiting the timing of the strcmp function in the handle_admin function may result in password attempts to measure the time for each attempt, then assume the password is known by the longest attempt which would match more characters. This vulnerability may be time consuming to exploit.

Exploiting the double free error is when a program tries to free memory in the same location more than once. In a web server, the XSLT show_index function may originate from an error in memory management during the execution of the XSLT. This may result in corrupt data thus leading to the execution of arbitrary code.

Solution

The Hiawatha developer acknowledges the vulnerabilities and has included mitigations and remediations to all three vulnerabilities in a forthcoming release. Install version 11.8 or higher.

Acknowledgements

Thanks to the reporter Ali Norouzi of Keysight. This document was written by Laurie Tyzenhaus.

Vendor Information

461364
 
Expand all

Hiawatha Unknown

Notified:  2025-07-09 Updated: 2025-09-09

CVE-2025-57783 Unknown
CVE-2025-57784 Unknown
CVE-2025-57785 Unknown

Vendor Statement

We have not received a statement from the vendor.


References

Other Information

CVE IDs: CVE-2025-57783 CVE-2025-57784 CVE-2025-57785
API URL: VINCE JSON | CSAF
Date Public: 2025-09-09
Date First Published: 2025-09-09
Date Last Updated: 2026-05-04 13:56 UTC
Document Revision: 3

Sponsored by CISA.

Download PGP Key

Read CERT/CC Blog

Learn about Vulnerability Analysis