Shodan
Vulnerabilities
Vulnerable Software
Busybox:  Security Vulnerabilities
CVE-2025-60876
BusyBox wget thru 1.3.7 accepted raw CR (0x0D)/LF (0x0A) and other C0 control bytes in the HTTP request-target (path/query), allowing the request line to be split and attacker-controlled headers to be injected. To preserve the HTTP/1.1 request-line shape METHOD SP request-target SP HTTP/1.1, a raw space (0x20) in the request-target must also be rejected (clients should use %20).
CVSS Score
6.5
EPSS Score
0.001
Published
2025-11-10
CVE-2025-46394
In tar in BusyBox through 1.37.0, a TAR archive can have filenames hidden from a listing through the use of terminal escape sequences.
CVSS Score
3.2
EPSS Score
0.0
Published
2025-04-23
CVE-2023-42364
A use-after-free vulnerability in BusyBox v.1.36.1 allows attackers to cause a denial of service via a crafted awk pattern in the awk.c evaluate function.
CVSS Score
5.5
EPSS Score
0.0
Published
2023-11-27
CVE-2023-42365
A use-after-free vulnerability was discovered in BusyBox v.1.36.1 via a crafted awk pattern in the awk.c copyvar function.
CVSS Score
5.5
EPSS Score
0.0
Published
2023-11-27
CVE-2023-42366
A heap-buffer-overflow was discovered in BusyBox v.1.36.1 in the next_token function at awk.c:1159.
CVSS Score
5.5
EPSS Score
0.0
Published
2023-11-27
CVE-2023-42363
A use-after-free vulnerability was discovered in xasprintf function in xfuncs_printf.c:344 in BusyBox v.1.36.1.
CVSS Score
5.5
EPSS Score
0.0
Published
2023-11-27
CVE-2023-39810
An issue in the CPIO command of Busybox v1.33.2 allows attackers to execute a directory traversal.
CVSS Score
7.8
EPSS Score
0.001
Published
2023-08-28
CVE-2022-48174
There is a stack overflow vulnerability in ash.c:6030 in busybox before 1.35. In the environment of Internet of Vehicles, this vulnerability can be executed from command to arbitrary code execution.
CVSS Score
9.8
EPSS Score
0.007
Published
2023-08-22
CVE-2022-30065
A use-after-free in Busybox 1.35-x's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the copyvar function.
CVSS Score
7.8
EPSS Score
0.006
Published
2022-05-18
CVE-2022-28391
BusyBox through 1.35.0 allows remote attackers to execute arbitrary code if netstat is used to print a DNS PTR record's value to a VT compatible terminal. Alternatively, the attacker could choose to change the terminal's colors.
CVSS Score
8.8
EPSS Score
0.024
Published
2022-04-03


Products
Pricing
Contact Us

Shodan ® - All rights reserved