Overview
Hiawatha is an open-source web server that supports Windows, MacOS X and a variety of Linux distributions. Hiawatha was focused on performance and is used in place of larger, more complex web servers. The fetch_request is vulnerable due to improper handling of HTTP headers regarding content length and transfer encoding. Tomahawk is a component of the Hiawatha web server which is vulnerable to authentication timing attack due to usage of 'strcmp' and may allow a local attacker to access the management client. The double free in the XSLT show_index function is a memory handling problem. The developer acknowledges the vulnerabilities and has tested the update to ensure all three are mitigated or remediated. Hiawatha is no longer actively supported by the developer, but the developer acknowledges the vulnerabilities and has included mitigations and remediations to all three vulnerabilities in the next release.
Description
CVE-2025-57783 A request smuggling vulnerability caused by improper header parsing has been identified in the fetch_request function of Hiawatha web server versions 8.5 through 11.7. This vulnerability allows an unauthenticated attacker to smuggle requests and access restricted resources managed by the server.
CVE-2025-57784 An authentication timing attack has been identified in the Tomahawk component of Hiawatha web server versions 8.5 through 11.7, which occurs due to the use of strcmp in the handle_admin function. This vulnerability allows a local attacker to access the management client.
CVE-2025-57785 A double free in the XSLT show_index function has been identified in Hiawatha web server version 10.8.2 through 11.7. This vulnerability allows an unauthenticated attacker to corrupt data, which may lead to arbitrary code execution.
Impact
Exploiting the request smuggling vulnerability may result in attackers bypassing authentication, hijack user sessions or inject malicious payloads into requests.
Exploiting the timing 'strcmp' function in the handle_admin function may result in password attempts to measure the time for each attempt, then assume the password is known by the longest attempt which would match more characters. This vulnerability may be time consuming to exploit.
Exploiting the double free error is when a program tries to free memory in the same location more than once. In a web server the XSLT show_index function may originate from an error in memory management during the execution of the XSLT which may result in corrupt data leading to the execution of arbitrary code.
Solution
Install updated version when distributed by Hiawatha.
Acknowledgements
Thanks to the reporter Ali Norouzi of Keysight.This document was written by Laurie Tyzenhaus.
Vendor Information
Other Information
| CVE IDs: | CVE-2025-57783 CVE-2025-57784 CVE-2025-57785 |
| API URL: | VINCE JSON | CSAF |
| Date Public: | 2025-09-09 |
| Date First Published: | 2025-09-09 |
| Date Last Updated: | 2025-09-09 02:57 UTC |
| Document Revision: | 1 |