Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
5DescriptionCVE.org
A vulnerability has been found in Cesanta Mongoose up to 7.20. This affects the function mg_tls_recv_cert of the file mongoose.c of the component TLS 1.3 Handler. Such manipulation of the argument pubkey leads to heap-based buffer overflow. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 7.21 mitigates this issue. The name of the patch is 0d882f1b43ff2308b7486a56a9d60cd6dba8a3f1. It is advisable to upgrade the affected component. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product.
AnalysisAI
Heap-based buffer overflow in Cesanta Mongoose versions up to 7.20 allows unauthenticated remote attackers to compromise confidentiality, integrity, and availability through malicious TLS 1.3 handshake manipulation. The vulnerability resides in mg_tls_recv_cert() function's improper handling of the pubkey argument during certificate processing. Publicly available exploit code exists (CVSS temporal E:P), and vendor-released patch is available in version 7.21. CVSS base score 7.3 reflects network-accessible, low-complexity attack requiring no privileges or user interaction.
Technical ContextAI
Cesanta Mongoose is a lightweight embedded web server and networking library commonly used in IoT devices, embedded systems, and network appliances. The vulnerability (CWE-122: Heap-based Buffer Overflow) occurs in the TLS 1.3 protocol handler within mongoose.c, specifically in the mg_tls_recv_cert() function responsible for processing certificate data during the TLS handshake. When parsing the pubkey argument from incoming certificate messages, insufficient bounds checking allows an attacker to write beyond allocated heap memory. This classic memory corruption flaw can occur when the library processes malformed or oversized public key data structures in X.509 certificates presented during TLS 1.3 session establishment. The affected component (cpe:2.3:a:cesanta:mongoose:*:*:*:*:*:*:*:*) impacts all Mongoose versions through 7.20.
RemediationAI
Upgrade immediately to Cesanta Mongoose version 7.21 or later, which contains the complete fix via commit 0d882f1b43ff2308b7486a56a9d60cd6dba8a3f1 addressing the heap overflow in mg_tls_recv_cert() function. Download the patched release from https://github.com/cesanta/mongoose/releases/tag/7.21 or apply the specific commit patch from https://github.com/cesanta/mongoose/commit/0d882f1b43ff2308b7486a56a9d60cd6dba8a3f1 if building from source. If immediate upgrade is not feasible, consider temporary risk mitigation by disabling TLS 1.3 support if operationally acceptable, restricting network access to Mongoose-based services to trusted clients only, or deploying network-layer filtering to inspect TLS handshakes for anomalous certificate structures. Verify patched version deployment and conduct regression testing to ensure TLS functionality remains intact post-upgrade. The vendor responded professionally with rapid patch turnaround, making upgrade the strongly preferred remediation path over workarounds.
Mongoose ODM for Node.js before version 8.9.5 contains a search injection vulnerability when using $where filters with p
An exploitable stack buffer overflow vulnerability exists in the MQTT packet parsing functionality of Cesanta Mongoose 6
An exploitable use-after-free vulnerability exists in the HTTP server implementation of Cesanta Mongoose 6.8. Rated crit
An exploitable memory corruption vulnerability exists in the Websocket protocol implementation of Cesanta Mongoose 6.8.
An exploitable memory corruption vulnerability exists in the Websocket protocol implementation of Cesanta Mongoose 6.8.
Prototype Pollution in GitHub repository automattic/mongoose prior to 7.3.4. Rated critical severity (CVSS 9.8), this vu
Prototype Pollution in GitHub repository automattic/mongoose prior to 6.4.6. Rated critical severity (CVSS 9.8), this vu
An integer overflow in parse_mqtt in mongoose.c in Cesanta Mongoose 6.16 allows an attacker to achieve remote DoS (infin
Mongoose before 8.8.3 can improperly use $where in match, leading to search injection. Rated critical severity (CVSS 9.1
The mg_tls_init function in Cesanta Mongoose HTTPS server 7.0 (compiled with OpenSSL support) is vulnerable to remote OO
The mg_tls_init function in Cesanta Mongoose HTTPS server 7.0 and 6.7-6.18 (compiled with mbedTLS support) is vulnerable
The mg_http_serve_file function in Cesanta Mongoose HTTP server 7.0 is vulnerable to remote OOB write attack via connect
Same weakness CWE-122 – Heap-based Buffer Overflow
View allSame technique Buffer Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-18170