Severity by source
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
A vulnerability was detected in bettercap up to 2.41.5. Affected by this vulnerability is the function ippReadChunkedBody of the file modules/zerogod/zerogod_ipp_primitives.go of the component zerogod IPP Service. Performing a manipulation results in integer coercion error. The attack can be initiated remotely. The attack is considered to have high complexity. The exploitation appears to be difficult. The exploit is now public and may be used. The patch is named 3731d5576cffae9eefe3721cd46a40933304129f. To fix this issue, it is recommended to deploy a patch.
AnalysisAI
Integer coercion error in bettercap's zerogod IPP service allows remote attackers to trigger information disclosure via malformed chunked HTTP requests. Versions up to 2.41.5 are affected. The vulnerability exists in the ippReadChunkedBody function where integer type conversions lack proper bounds validation, enabling attackers to cause memory access violations that leak sensitive data. Publicly available exploit code exists, and while CVSS 2.9 indicates low severity, the attack requires high complexity and has limited impact; however, the vulnerability is confirmed remotely exploitable without authentication.
Technical ContextAI
The zerogod component in bettercap implements an IPP (Internet Printing Protocol) service handler. The vulnerability resides in the ippReadChunkedBody function in modules/zerogod/zerogod_ipp_primitives.go, which parses HTTP chunked transfer encoding. The root cause is CWE-189 (Numeric Errors), specifically integer type coercion without bounds checking on chunk size values read from untrusted network data. When parsing the chunk size field from HTTP chunk headers, the code converts string values to integers without validating against maximum bounds, allowing an attacker to specify excessively large chunk sizes that trigger integer overflow or out-of-bounds memory access. The patch (commit 3731d5576cffae9eefe3721cd46a40933304129f) introduces a constant IPP_CHUNK_MAX_SIZE (10 MB) and adds validation to reject chunks exceeding this limit, preventing the coercion error. The fix also wraps handler invocation with panic recovery to prevent service crashes.
RemediationAI
Apply the patch commit 3731d5576cffae9eefe3721cd46a40933304129f by updating to a bettercap version that includes this fix (version 2.41.6 or later, pending official release confirmation). The patch introduces an IPP_CHUNK_MAX_SIZE constant of 10 MB and validates incoming chunk sizes against this limit in the ippReadChunkedBody function, rejecting any chunk exceeding the maximum and returning an error. Additionally, the patch wraps handler invocation with panic recovery to gracefully handle crashes rather than terminating the service. Immediate mitigation without patching includes disabling the zerogod IPP service module if not required for operations, or implementing network-level filtering to restrict access to the IPP service port to trusted networks only. Organizations unable to patch immediately should monitor logs for chunked HTTP requests with unusually large declared chunk sizes. No official vendor advisory release has been independently confirmed, but the GitHub commit and PR 1264 (https://github.com/bettercap/bettercap/pull/1264) contain the authoritative fix.
Same weakness CWE-189 – Numeric Errors
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-29035
GHSA-322p-rrj6-j44g