Out-of-bounds write in Mongoose - CVE-2023-2905
Published: August 9, 2023 / Updated: June 23, 2025
Vulnerability identifier: #VU111818
CSH Severity: High
CVSSv4.0: CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
CVE-ID: CVE-2023-2905
CWE-ID: CWE-787
Exploitation vector: Adjecent network
Exploit availability:
No public exploit available
Vulnerable software:
Mongoose
Mongoose
Software vendor:
Cesanta Software Ltd.
Cesanta Software Ltd.
Description
The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.
Due to a failure in validating the length of a provided MQTT_CMD_PUBLISH parsed message with a variable length header, Cesanta Mongoose, an embeddable web server, version 7.10 is susceptible to a heap-based buffer overflow vulnerability in the default configuration. Version 7.9 and prior does not appear to be vulnerable. This issue is resolved in version 7.11.
Remediation
Install update from vendor's website.