Overview Hiawatha is an open-source web server that supports Windows, MacOS X and a variety of Linux distributions. Hiawatha was focused on performance and is used in place of larger, more complex web servers. The fetch_request is vulnerable due to improper handling of HTTP headers regarding content length and transfer encoding. Tomahawk is a component of the Hiawatha web server which is vulnerable to authentication timing attack due to usage of 'strcmp' and may allow a local attacker to access the management client. The double free in the XSLT show_index function is a memory handling problem. The developer acknowledges the vulnerabilities and has tested the update to ensure all three are mitigated or remediated. Hiawatha is no longer actively supported by the developer, but the developer acknowledges the vulnerabilities and has included mitigations and remediations to all three vulnerabilities in the next release. Description CVE-2025-57783 A request smuggling vulnerability caused by improper header parsing has been identified in the fetch_request function of Hiawatha web server versions 8.5 through 11.7. This vulnerability allows an unauthenticated attacker to smuggle requests and access restricted resources managed by the server. CVE-2025-57784 An authentication timing attack has been identified in the Tomahawk component of Hiawatha web server versions 8.5 through 11.7, which occurs due to the use of strcmp in the handle_admin function. This vulnerability allows a local…Read More