EUVD-2025-209536
GHSA-mwv3-mcxm-vh5m
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:U/V:D/RE:L/U:X
Lifecycle Timeline
2DescriptionNVD
Zervit's portable HTTP/web server is vulnerable to remote DoS attacks when a configuration reset request is made. The vulnerability is caused by inadequate validation of user-supplied input. An attacker can exploit this vulnerability by sending malicious requests. If the vulnerability is successfully exploited, the application can be made to stop responding, resulting in a DoS condition. It is possible to manually restart the application.
AnalysisAI
Remote denial of service in Zervit portable HTTP/web server allows unauthenticated attackers to crash the application via malformed configuration reset requests. Network-accessible (AV:N) with low complexity (AC:L) but requires specific timing (AT:P). EPSS data unavailable; not listed in CISA KEV. No public exploit code identified at time of analysis. High availability impact (VA:H) makes this critical for production deployments, though manual restart capability partially mitigates sustained outage risk.
Technical ContextAI
Zervit is a lightweight portable HTTP/web server, likely used for embedded systems, development environments, or minimal deployment scenarios. The vulnerability stems from CWE-20 (Improper Input Validation) in the configuration reset endpoint. When the server receives a configuration reset request, insufficient validation of the request structure or parameters allows malformed data to trigger an unhandled exception or resource exhaustion condition. The CVSS 4.0 vector indicates high availability impact (VA:H) isolated to the vulnerable component (SC:N/SI:N/SA:N) with automatable exploitation (AU:Y). The 'AT:P' (Attack Timing: Present) metric suggests the vulnerability requires specific timing conditions or server state, possibly during active configuration operations or when the reset endpoint is unlocked.
RemediationAI
Check the INCIBE-CERT advisory at https://www.incibe.es/en/incibe-cert/notices/aviso/incorrect-input-validation-zervit-portable-httpweb-server for vendor-confirmed patched versions and upgrade instructions. No vendor-released patch version confirmed from available NVD data - organizations must consult the INCIBE link or contact Zervit maintainers directly. Compensating controls pending patch deployment: (1) Restrict network access to Zervit's configuration endpoints using firewall rules, allowing only trusted administrative IPs - this blocks remote exploitation but limits legitimate remote administration. (2) Deploy Zervit behind a reverse proxy (nginx, Apache) with rate limiting and request validation on configuration paths - adds latency and complexity but filters malformed requests. (3) If Zervit supports it, disable the configuration reset endpoint entirely if not operationally required - eliminates attack surface but removes legitimate reset functionality. (4) Implement automated service monitoring with restart scripts to minimize DoS impact - does not prevent exploitation but reduces attacker value and operational disruption. For internet-facing deployments where remote administration is unnecessary, blocking external access to administrative endpoints provides highest risk reduction with minimal operational impact.
Share
External POC / Exploit Code
Leaving vuln.today