CVE-2025-9648 — Improper Neutralization of Null Byte or NUL Character in Civetweb

CWE-158 — Improper Neutralization of Null Byte or NUL Character6 documents6 sources

Severity

8.7HIGHNVD

EPSS

1.9%

top 16.75%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Civetweb Project Civetweb Debian Civetweb Civetweb +2 more

Timeline

PublishedSep 29

Description

A vulnerability in the CivetWeb library's function mg_handle_form_request allows remote attackers to trigger a denial of service (DoS) condition. By sending a specially crafted HTTP POST request containing a null byte in the payload, the server enters an infinite loop during form data parsing. Multiple malicious requests will result in complete CPU exhaustion and render the service unresponsive to further requests. This issue was fixed in commit 782e189. This issue affects only the library, sta…

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Affected Packages5 packages

▶debiandebian/civetweb< civetweb 1.16+dfsg-4 (forky)

▶Debiancivetweb_project/civetweb< 1.16+dfsg-2+deb13u1+1

▶CVEListV5civetweb/civetweb1.10 — 1.16

▶msrcmsrc/azl3_ceph_18.2.2-10_on_azure_linux_3.0

▶msrcmsrc/cbl2_ceph_16.2.10-9_on_cbl_mariner_2.0

🔴Vulnerability Details

GHSA

GHSA-2gxg-pvm2-2p6x: A vulnerability in the CivetWeb library's function mg_handle_form_request allows remote attackers to trigger a denial of service (DoS) condition↗2025-09-29

▶

OSV

CVE-2025-9648: A vulnerability in the CivetWeb library's function mg_handle_form_request allows remote attackers to trigger a denial of service (DoS) condition↗2025-09-29

▶

📋Vendor Advisories

Red Hat

civetweb: Denial of Service in CivetWeb↗2025-09-29

▶

Microsoft

Denial of Service in CivetWeb↗2025-09-09

▶

Debian

CVE-2025-9648: civetweb - A vulnerability in the CivetWeb library's function mg_handle_form_request allows...↗2025

▶