Severity by source
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
10DescriptionCVE.org
A security vulnerability has been detected in Cesanta Mongoose up to 7.20. This issue affects the function mg_aes_gcm_decrypt of the file /src/tls_aes128.c of the component GCM Authentication Tag Handler. Such manipulation leads to improper verification of cryptographic signature. The attack may be performed from remote. A high complexity level is associated with this attack. The exploitability is assessed as difficult. The exploit has been disclosed publicly and may be used. Upgrading to version 7.21 is capable of addressing this issue. It is advisable to upgrade the affected component. VulDB has contacted the vendor early and they confirmed quickly, that this issue got fixed already.
AnalysisAI
Improper verification of cryptographic signatures in Cesanta Mongoose versions up to 7.20 allows remote attackers to bypass GCM authentication tag validation in the mg_aes_gcm_decrypt function. The vulnerability has high attack complexity and requires no user interaction, but provides only integrity impact (not confidentiality or availability). Publicly available exploit code exists, and vendor has released patched version 7.21.
Technical ContextAI
The vulnerability resides in the GCM (Galois/Counter Mode) Authentication Tag Handler within the AES-128 cryptographic implementation (file src/tls_aes128.c). GCM mode provides both confidentiality and authenticity guarantees through authenticated encryption. The root cause (CWE-347: Improper Verification of Cryptographic Signature) indicates that the mg_aes_gcm_decrypt function fails to properly validate the authentication tag, which is the 16-byte cryptographic proof that ciphertext has not been tampered with. This allows an attacker to submit forged or modified ciphertext that decrypts successfully without detection of tampering, breaking the authenticity guarantee that GCM is supposed to provide. The high attack complexity reflects that crafting valid forged messages requires cryptographic sophistication or reverse-engineering the implementation.
RemediationAI
Immediately upgrade Cesanta Mongoose to version 7.21 or later, which includes the fix for improper GCM authentication tag verification. The patch is officially released by the vendor at https://github.com/cesanta/mongoose/releases/tag/7.21. If immediate upgrade is not possible, disable GCM-based encryption in Mongoose configuration and use only authenticated encryption modes where the authentication tag validation is independently verified. However, this workaround reduces cryptographic robustness and is not recommended as a long-term solution. Review any messages encrypted with Mongoose 7.20 or earlier using GCM mode for potential tampering, especially authentication tokens (JWT) and critical integrity-sensitive payloads, as attackers may have forged authenticated ciphertexts.
More in Jwt Attack
View allWhy is Microsoft republishing a CVE from 2013? We are republishing CVE-2013-3900 in the Security Update Guide to update
Authentication bypass in SimpleHelp 5.5.15 and prior (plus 6.0 pre-release builds) allows remote unauthenticated attacke
Authentication bypass in Fortinet FortiOS, FortiProxy, and FortiSwitchManager allows unauthenticated remote attackers to
ruby-saml provides security assertion markup language (SAML) single sign-on (SSO) for Ruby. Rated critical severity (CVS
ruby-saml provides security assertion markup language (SAML) single sign-on (SSO) for Ruby. Rated critical severity (CVS
The package jsrsasign before 10.5.25 are vulnerable to Improper Verification of Cryptographic Signature when JWS or JWT
A library injection vulnerability exists in Microsoft Teams (work or school) 24046.2813.2770.1094 for macOS. Rated criti
A library injection vulnerability exists in the WebView.app helper app of Microsoft Teams (work or school) 24046.2813.27
A library injection vulnerability exists in the com.microsoft.teams2.modulehost.app helper app of Microsoft Teams (work
The Ruby SAML library is for implementing the client side of a SAML authorization. Rated critical severity (CVSS 9.8), t
cosign is a container signing and verification utility. Rated critical severity (CVSS 9.8), this vulnerability is remote
Biscuit is an authentication and authorization token for microservices architectures. Rated critical severity (CVSS 9.8)
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-25662