CVE-2025-60876 is a vulnerability identified in BusyBox wget versions up to 1.3.7, where the HTTP request-target component of the HTTP/1.1 request line improperly accepts raw carriage return (CR, 0x0D), line feed (LF, 0x0A), and other C0 control characters. Normally, the HTTP request line follows the format METHOD SP request-target SP HTTP/1.1 CRLF, where the request-target should not contain raw control characters or spaces (spaces should be percent-encoded as %20). However, due to insufficient input validation, BusyBox wget allows these control characters within the request-target, enabling an attacker to split the request line and inject arbitrary HTTP headers controlled by the attacker. This header injection can lead to HTTP request smuggling or manipulation, potentially allowing attackers to bypass security controls, poison caches, or conduct further attacks on downstream systems. The vulnerability has a CVSS 3.1 base score of 6.5 (medium severity), with an attack vector of network (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), unchanged scope (S:U), and limited confidentiality and integrity impact (C:L/I:L/A:N). No patches or known exploits are currently reported, but the flaw poses a risk especially in embedded systems and IoT devices that rely on BusyBox wget for HTTP communications. The weakness is related to CWE-284 (Improper Access Control), reflecting insufficient validation of input leading to unauthorized header injection.

For European organizations, the vulnerability poses a moderate risk primarily to embedded systems, IoT devices, and network appliances that utilize BusyBox wget for HTTP requests. Exploitation could allow attackers to manipulate HTTP headers, potentially bypassing security controls such as web application firewalls or proxy servers, leading to unauthorized access or data leakage. Confidentiality and integrity of HTTP communications may be compromised, though availability impact is unlikely. Industrial control systems and critical infrastructure using embedded Linux with BusyBox components could be targeted, increasing risk to sectors like manufacturing, energy, and telecommunications. The lack of authentication or user interaction requirements makes remote exploitation feasible, increasing the attack surface. However, the absence of known exploits and patches currently limits immediate widespread impact. Organizations relying on BusyBox wget should consider this vulnerability in their risk assessments, especially where HTTP request integrity is critical.

1. Monitor for official BusyBox updates and apply patches addressing this vulnerability as soon as they become available. 2. Implement input validation and sanitization on HTTP request-targets at network boundaries or proxy servers to reject requests containing raw CR, LF, or other control characters. 3. Use web application firewalls (WAFs) or intrusion detection/prevention systems (IDS/IPS) configured to detect and block HTTP request smuggling or header injection attempts. 4. Where feasible, replace BusyBox wget with alternative HTTP clients that properly validate HTTP request lines. 5. Conduct network traffic analysis to identify anomalous HTTP requests with suspicious header injection patterns. 6. Harden embedded and IoT devices by restricting network access and applying segmentation to limit exposure. 7. Educate developers and system integrators about proper HTTP request construction and the risks of control character injection. 8. Review and update security policies to include validation of HTTP request inputs in custom or embedded applications.