CVE-2025-60876 is a vulnerability found in BusyBox wget versions up to 1.3.7, where the HTTP request-target component improperly accepts raw carriage return (0x0D), line feed (0x0A), and other C0 control characters. In HTTP/1.1, the request line follows the format METHOD SP request-target SP HTTP/1.1, where SP is a space character (0x20). BusyBox wget's failure to reject raw CR/LF and other control bytes in the request-target allows an attacker to split the request line into multiple lines, effectively injecting attacker-controlled HTTP headers. This can lead to HTTP request smuggling or header injection attacks, which may be leveraged to bypass security controls, poison caches, or manipulate backend server behavior. The vulnerability arises because the client accepts raw spaces in the request-target, which should be percent-encoded as %20 to maintain the request-line integrity. Although no CVSS score has been assigned, the flaw is significant because it undermines the fundamental HTTP request parsing logic. Exploitation requires an attacker to send malicious HTTP requests to a server or proxy using BusyBox wget, often embedded in IoT or constrained devices. The vulnerability is particularly concerning in environments where BusyBox wget is used for automated HTTP requests or proxying, as it can be exploited to inject malicious headers or smuggle requests past security devices. No known exploits are currently reported in the wild, and no patches have been linked yet, but the vulnerability is publicly disclosed and should be addressed promptly.

For European organizations, the impact of CVE-2025-60876 can be substantial, especially for those relying on BusyBox wget in embedded systems, IoT devices, or network appliances. Successful exploitation can lead to HTTP request smuggling or header injection, which may allow attackers to bypass security controls such as web application firewalls, poison caches, or manipulate backend server behavior. This can result in unauthorized access, data leakage, or disruption of services. Industrial sectors using embedded Linux devices with BusyBox, such as manufacturing, energy, and telecommunications, are particularly at risk. The vulnerability could also be exploited to facilitate further attacks within internal networks if devices are reachable. Given the widespread use of BusyBox in constrained environments, the scope of affected systems is broad, increasing the potential attack surface. The absence of authentication requirements and the ability to trigger the flaw remotely via crafted HTTP requests heighten the risk. However, exploitation requires network access to the affected device and the ability to send specially crafted HTTP requests, which may limit exposure to internal or poorly segmented networks.

European organizations should take the following specific mitigation steps: 1) Inventory and identify all devices and systems using BusyBox wget, particularly versions up to 1.3.7, focusing on embedded, IoT, and network appliances. 2) Monitor vendor advisories and apply patches or updated BusyBox versions as soon as they become available to address this vulnerability. 3) Implement strict input validation and filtering on HTTP requests at network boundaries, including rejecting or sanitizing requests containing raw CR, LF, or control characters in the request-target. 4) Deploy web application firewalls and intrusion detection systems configured to detect and block HTTP request smuggling or header injection attempts. 5) Segment networks to limit exposure of vulnerable devices to untrusted networks or the internet. 6) Conduct security assessments and penetration testing to identify potential exploitation paths involving BusyBox wget. 7) Educate security teams about the risks of HTTP request smuggling and header injection to improve detection and response capabilities. 8) Where possible, replace or upgrade embedded devices running outdated BusyBox versions with more secure alternatives.