SB20250228128 - Input validation error in Mongoose
Published: February 28, 2025 Updated: June 23, 2025
Security Bulletin ID
SB20250228128
CSH Severity
Medium
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Remote access
Highest impact
Denial of service
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 vulnerability.
1) Input validation error (CVE-ID: CVE-2023-34188)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.
The HTTP server in Mongoose before 7.10 accepts requests containing negative Content-Length headers. By sending a single attack payload over TCP, an attacker can cause an infinite loop in which the server continuously reparses that payload, and does not respond to any other requests.
Remediation
Install update from vendor's website.
References
- https://blog.narfindustries.com/blog/narf-discovers-critical-vulnerabilities-in-cesanta-mongoose-http-server
- https://github.com/cesanta/mongoose/commit/4663090a8fb036146dfe77718cff612b0101cb0f
- https://github.com/cesanta/mongoose/compare/7.9...7.10
- https://github.com/cesanta/mongoose/pull/2197
- https://security.netapp.com/advisory/ntap-20250228-0001/