Published: 23/06/2023 Updated: 06/09/2023

CVSS v3 Base Score: 7.5 | Impact Score: 3.6 | Exploitability Score: 3.9

VMScore: 0

The HTTP server in Mongoose prior to 7.10 accepts requests containing negative Content-Length headers. By sending a single attack payload over TCP, an attacker can cause an infinite loop in which the server continuously reparses that payload, and does not respond to any other requests.

Vulnerable Product	Search on Vulmon	Subscribe to Product
cesanta mongoose

Differential testing and fuzzing of HTTP servers and proxies

The HTTP Garden The HTTP Garden is a collection of HTTP servers and proxies configured to be composable, along with scripts to interact with them in a way that makes finding vulnerabilities much much easier For some cool demos of the vulnerabilities that you can find with the HTTP Garden, check out our ShmooCon 2024 talk Acknowledgements We'd like to thank our friends at

NVD-CWE-Other https://github.com/cesanta/mongoose/pull/2197 https://github.com/cesanta/mongoose/compare/7.9...7.10 https://github.com/cesanta/mongoose/commit/4663090a8fb036146dfe77718cff612b0101cb0f https://blog.narfindustries.com/blog/narf-discovers-critical-vulnerabilities-in-cesanta-mongoose-http-server https://nvd.nist.gov https://github.com/narfindustries/http-garden

Get Started

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Twitter Reddit Linkedin Facebook

CVE-2023-34188

Vulnerability Summary

Github Repositories

References

Vulmon Search

About

Products

Connect