Alpine: multiple lighttpd packages: security update to 1.4.81-r0

high Tenable Cloud Security Plugin ID 435496

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- A mismatch caused by client-triggered server-sent stream resets between HTTP/2 specifications and the
internal architectures of some HTTP/2 implementations may result in excessive server resource consumption
leading to denial-of-service (DoS). By opening streams and then rapidly triggering the server to reset
them—using malformed frames or flow control errors—an attacker can exploit incorrect stream accounting.
Streams reset by the server are considered closed at the protocol level, even though backend processing
continues. This allows a client to cause the server to handle an unbounded number of concurrent streams on
a single connection. This CVE will be updated as affected product details are released. (CVE-2025-8671)

See Also

https://security.alpinelinux.org/vuln/CVE-2025-8671

Plugin Details

Severity: High

ID: 435496

Version: Revision 1.3

Type: Local

Published: 10/2/2025

Updated: 7/2/2026

Supported Sensors: Agentless Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 5.7

Percentile: 96.49

CVSS v2

Risk Factor: Medium

Base Score: 5

Temporal Score: 3.9

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P

CVSS Score Source: CVE-2025-8671

CVSS v3

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.7

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Vulnerability Publication Date: 8/13/2025

Reference Information

CVE: CVE-2025-8671