How to fix CVE-2025-1867?

Within 24 hours: Identify all affected systems and apply vendor patches immediately. Monitor vendor channels for patch availability.

Is Request Smuggling affected by CVE-2025-1867?

CVE-2025-1867 presents critical security risk rated CVSS 10.0. Successful exploitation could critically impact the confidentiality, integrity, and availability of affected systems.

CVE-2025-1867

CRITICAL

2025-03-03 [email protected]

10.0

CVSS 4.0

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Lifecycle Timeline

Analysis Generated

Mar 28, 2026 - 18:29 vuln.today

CVE Published

Mar 03, 2025 - 09:15 nvd

CRITICAL 10.0

Description

Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') vulnerability in ithewei libhv allows HTTP Response Smuggling.This issue affects libhv: through 1.3.3.

Analysis

A critical HTTP Request/Response Smuggling vulnerability (CWE-444) in ithewei libhv library versions up to 1.3.3 allows attackers to manipulate HTTP request interpretation between frontend and backend servers. With a CVSS 4.0 score of 10.0, this vulnerability requires no authentication or user interaction and can be exploited remotely with low complexity. HTTP smuggling attacks can bypass security controls, poison web caches, hijack user sessions, and enable cross-site scripting, making this particularly dangerous in environments using libhv as a reverse proxy or HTTP server component.

Technical Context

libhv is a cross-platform C/C++ network library providing HTTP client/server, WebSocket, and event loop functionality. HTTP Request Smuggling (CWE-444) occurs when front-end and back-end servers interpret HTTP request boundaries differently, typically through ambiguous Content-Length and Transfer-Encoding headers. The libhv library is used in embedded systems, IoT devices, and as a lightweight HTTP server in C++ applications. The vulnerability likely stems from non-compliant HTTP/1.1 parsing that allows crafted requests to be split or merged differently by chained HTTP processors.

Affected Products

ithewei libhv versions up to and including 1.3.3. Applications embedding libhv as HTTP server or proxy component are affected. Common deployment contexts include IoT devices, embedded Linux systems, and lightweight C++ web services.

Remediation

Upgrade libhv to a version newer than 1.3.3 once a patch is released. As a workaround, ensure strict HTTP parsing is enforced on any reverse proxy in front of libhv (e.g., nginx proxy_request_buffering on, reject ambiguous Transfer-Encoding headers). Monitor for unusual HTTP request patterns that may indicate smuggling attempts. Consider implementing HTTP/2 end-to-end which is not susceptible to classic smuggling attacks.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.2

CVSS: +50

POC: 0

CVE-2025-1867 vulnerability details – vuln.today

Back

CVE-2025-1867

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

CVE-2025-1867

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

External POC / Exploit Code