Recently CVE-2025-60876 was assigned to a request header injection vulnerability in busybox wget. It has been reported here before (https://lists.busybox.net/pipermail/busybox/2025-August/091704.html) and even a fix proposed (https://lists.busybox.net/pipermail/busybox/2025-August/091710.html) among other changes. The following patch is a very simple fix of just not allowing any control characters or spaces in the URL.
Radoslav Kolev (1): wget: don't allow control characters or spaces in the URL networking/ping.c | 352 ++++++++++++---------------------------------- networking/wget.c | 9 ++ 2 files changed, 102 insertions(+), 259 deletions(-) -- 2.51.1 _______________________________________________ busybox mailing list [email protected] https://lists.busybox.net/mailman/listinfo/busybox
