Hiawatha open-source web server has identified vulnerabilities across multiple components.
A recent advisory details multiple vulnerabilities in the Hiawatha open-source web server affecting versions 8.5 through 11.7, relevant for IT leaders managing server security.
Overview
Hiawatha is a web server compatible with various operating systems including Windows, MacOS X, and several Linux distributions. It focuses on performance, providing an alternative to larger web servers. Several vulnerabilities have been identified, including an improper handling of Hypertext Transfer Protocol (HTTP) headers that affects content length and transfer encoding, an authentication issue within the Tomahawk component, and a memory management flaw in the XSLT show_index function. The developer has acknowledged these vulnerabilities and has included remediation measures in the upcoming release, despite the server not being actively supported.
Description
The vulnerability denoted as CVE-2025-57783 emerges from improper header parsing in the fetch_request function, potentially allowing unauthenticated attackers to smuggle requests and access restricted server resources. CVE-2025-57784 describes an authentication timing vulnerability found in the Tomahawk component, which could permit local attackers to access the management client by exploiting the use of 'strcmp'. Lastly, CVE-2025-57785 pertains to a double free error in the XSLT show_index function, leading to possible data corruption and arbitrary code execution.
Impact
Attackers utilizing the request smuggling vulnerability could bypass authentication systems, hijack user sessions, and insert harmful payloads. The timing attack could allow a local attacker to determine password validity based on response timing from the server. The double free issue in the XSLT function, originating from errors in memory management, poses a risk of data corruption and arbitrary code execution.
Solution
Users of Hiawatha should install the updates as soon as they become available to mitigate these vulnerabilities.
Acknowledgements
The advisory credits Ali Norouzi from Keysight for reporting the vulnerabilities. The document has been authored by Laurie Tyzenhaus.
Vendor Information
For comprehensive details, refer to the full report. Some vendors are associated with this advisory.
References
Other Information
| Common Vulnerabilities and Exposures (CVE) Intrusion Detection System (IDS): | CVE-2025-57784 CVE-2025-57785 CVE-2025-57783 |
| Date Public: | 2025-09-09 |
| Date First Published: | 2025-09-09 |
| Date Last Updated: | 2025-09-09 02:57 UTC |
| Document Revision: | 1 |
- About vulnerability notes
- Contact us about this vulnerability
- Provide a vendor statement