lighttpd (pronounced /lighty/) is a secure, fast, compliant, and very flexible web server that has been optimized for high-performance environments. lighttpd uses memory and CPU efficiently and has lower resource use than other popular web servers. Its advanced feature-set (FastCGI, CGI, Auth, Output-Compression, URL-Rewriting and much more) make lighttpd the perfect web server for all systems, small and large.
CVE-2022-41556 is a resource exhaustion vulnerability in lighttpd 1.4.56 - 1.4.66 affecting gateway backends such as FastCGI. When handling an HTTP/1.1 request with chunked transfer encoding and request-body streaming enabled, lighttpd mishandles an anomalous client disconnect (RDHUP / half-closed TCP connection) before the terminating chunk is sent. In this state, the gateway handler can incorrectly return HANDLER_WAIT_FOR_EVENT without transitioning to an error or cleanup path, leaving the backend connection slot permanently allocated. By repeatedly opening such malformed connections, an attacker can exhaust available backend slots, causing new dynamic requests to hang indefinitely and resulting in a denial of service that persists until the server is restarted.