CVE-2022-30780 - Lighttpd - Denial of Service

May 16, 2022   
cve denial-of-service unauthenticated 
Also available in:  🇫🇷 


Lighttpd 1.4.56 through 1.4.58 allows a remote attacker to cause a denial of service (CPU consumption from stuck connections) because connection_read_header_more in connections.c has a typo that disrupts use of multiple read operations on large headers.

Vulnerable versions

The following versions of lighttpd are vulnerable:

Software Version Vulnerable
Lighttpd 1.4.58 Yes ✅
Lighttpd 1.4.57 Yes ✅
Lighttpd 1.4.56 Yes ✅


On a vulnerable version, If an unauthenticated attacker sends too many requests exceeding the maximum URL size, every connection opened does not get closed and the server stop accepting new connections.


Here is a demonstration with:


In order to patch this vulnerability you need to update lighttpd to a version greater than 1.4.59.