CVE-2025-26803

Medium

Published: 24 February 2025

Published

24 February 2025

Modified

28 February 2025

KEV Added

—

Patch

—

CVSS Score 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

EPSS Score 0.0027 50.5th percentile

Risk Priority 11 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-26803 is a medium-severity Use of Uninitialized Resource (CWE-908) vulnerability in Phusion Passenger. Its CVSS base score is 5.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked in the top 49.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Application or System Exploitation (T1499.004). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

preventrecover

Directly mitigates the CVE by requiring timely remediation through patching Phusion Passenger to version 6.0.26, eliminating the HTTP parser flaw.

SC-5 Denial-of-service Protection good match

prevent

Provides denial-of-service protections such as rate limiting and request throttling to prevent exploitation of the invalid HTTP method parser vulnerability.

SI-10 Information Input Validation partial match

prevent

Enforces validation of HTTP request inputs to reject or sanitize invalid methods before they reach the vulnerable Phusion Passenger parser.

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact

Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.

attack.mitre.org →

Why these techniques?

Vulnerability in HTTP parser allows remote exploitation of public-facing app to crash/disrupt service via malformed request, directly enabling application/system exploitation for DoS.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

The http parser in Phusion Passenger 6.0.21 through 6.0.25 before 6.0.26 allows a denial of service during parsing of a request with an invalid HTTP method.

Deeper analysisAI

CVE-2025-26803 is a denial-of-service vulnerability in the HTTP parser of Phusion Passenger versions 6.0.21 through 6.0.25, prior to 6.0.26. The flaw, linked to CWE-908 (Use of Uninitialized Resource), allows disruption during the parsing of a specially crafted HTTP request containing an invalid HTTP method. It has a CVSS v3.1 base score of 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L), indicating medium severity with low availability impact but no confidentiality or integrity effects.

A remote, unauthenticated attacker can exploit this vulnerability over the network with low complexity and no user interaction required. By sending a malicious HTTP request with an invalid method to a vulnerable Phusion Passenger instance, the attacker triggers a denial-of-service condition, potentially causing the parser to fail and disrupting service availability for legitimate users.

Phusion Passenger advisories recommend upgrading to version 6.0.26, which addresses the issue via a specific commit (bb15591646687064ab2d578d5f9660b2a4168017). Release notes and the official blog post detail the fix, with GitHub comparisons confirming changes between 6.0.25 and 6.0.26; additional support resources are available on the Phusion Passenger site.