Mongoose
CVE-2024-42385
HIGH
Severity by source
AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionNVD
Improper Neutralization of Delimiters vulnerability in Cesanta Mongoose Web Server v7.14 allows to trigger an out-of-bound memory write if the PEM certificate contains unexpected characters.
AnalysisAI
Improper Neutralization of Delimiters vulnerability in Cesanta Mongoose Web Server v7.14 allows to trigger an out-of-bound memory write if the PEM certificate contains unexpected characters. Rated high severity (CVSS 7.0), this vulnerability is no authentication required. No vendor patch available.
Technical ContextAI
This vulnerability is classified under CWE-140. Improper Neutralization of Delimiters vulnerability in Cesanta Mongoose Web Server v7.14 allows to trigger an out-of-bound memory write if the PEM certificate contains unexpected characters. Affected products include: Cesanta Mongoose.
RemediationAI
No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.
Mongoose ODM for Node.js before version 8.9.5 contains a search injection vulnerability when using $where filters with p
An exploitable stack buffer overflow vulnerability exists in the MQTT packet parsing functionality of Cesanta Mongoose 6
An exploitable use-after-free vulnerability exists in the HTTP server implementation of Cesanta Mongoose 6.8. Rated crit
An exploitable memory corruption vulnerability exists in the Websocket protocol implementation of Cesanta Mongoose 6.8.
An exploitable memory corruption vulnerability exists in the Websocket protocol implementation of Cesanta Mongoose 6.8.
Prototype Pollution in GitHub repository automattic/mongoose prior to 7.3.4. Rated critical severity (CVSS 9.8), this vu
Prototype Pollution in GitHub repository automattic/mongoose prior to 6.4.6. Rated critical severity (CVSS 9.8), this vu
An integer overflow in parse_mqtt in mongoose.c in Cesanta Mongoose 6.16 allows an attacker to achieve remote DoS (infin
Mongoose before 8.8.3 can improperly use $where in match, leading to search injection. Rated critical severity (CVSS 9.1
The mg_tls_init function in Cesanta Mongoose HTTPS server 7.0 (compiled with OpenSSL support) is vulnerable to remote OO
The mg_tls_init function in Cesanta Mongoose HTTPS server 7.0 and 6.7-6.18 (compiled with mbedTLS support) is vulnerable
The mg_http_serve_file function in Cesanta Mongoose HTTP server 7.0 is vulnerable to remote OOB write attack via connect
Same weakness CWE-140 – Improper Neutralization of Delimiters
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today