cbcvebase.

Cesanta Mongoose vulnerabilities

54 known vulnerabilities affecting cesanta/mongoose.

Total CVEs
54
CISA KEV
0
Public exploits
2
Exploited in wild
1
Severity breakdown
CRITICAL23HIGH20MEDIUM7LOW4

Vulnerabilities

Page 2 of 3
CVE-2024-42383P3CRITICALCVSS 9.8≤ 7.142024-11-18
CVE-2024-42383 [CRITICAL] CWE-823 CVE-2024-42383: Use of Out-of-range Pointer Offset vulnerability in Cesanta Mongoose Web Server v7.14 allows to writ Use of Out-of-range Pointer Offset vulnerability in Cesanta Mongoose Web Server v7.14 allows to write a NULL byte value beyond the memory space dedicated for the hostname field.
nvd
CVE-2021-26529P3CRITICALCVSS 9.1≥ 6.7, ≤ 6.18v7.02021-02-08
CVE-2021-26529 [CRITICAL] CWE-787 CVE-2021-26529: The mg_tls_init function in Cesanta Mongoose HTTPS server 7.0 and 6.7-6.18 (compiled with mbedTLS su The mg_tls_init function in Cesanta Mongoose HTTPS server 7.0 and 6.7-6.18 (compiled with mbedTLS support) is vulnerable to remote OOB write attack via connection request after exhausting memory pool.
nvd
CVE-2023-2905P3HIGHCVSS 8.8v7.102023-08-09
CVE-2023-2905 [HIGH] CWE-122 CVE-2023-2905: Due to a failure in validating the length of a provided MQTT_CMD_PUBLISH parsed message with a varia Due to a failure in validating the length of a provided MQTT_CMD_PUBLISH parsed message with a variable length header, Cesanta Mongoose, an embeddable web server, version 7.10 is susceptible to a heap-based buffer overflow vulnerability in the default configuration. Version 7.9 and prior does not appear to be vulnerable. This issue is resolved in versio
nvd
CVE-2019-12951P3CRITICALCVSS 9.8fixed in 6.152019-06-24
CVE-2019-12951 [CRITICAL] CWE-787 CVE-2019-12951: An issue was discovered in Mongoose before 6.15. The parse_mqtt() function in mg_mqtt.c has a critic An issue was discovered in Mongoose before 6.15. The parse_mqtt() function in mg_mqtt.c has a critical heap-based buffer overflow.
nvd
CVE-2019-17426P3CRITICAL≥ 5.0.0, < 5.7.5≥ 0, < 4.13.212019-10-22
CVE-2019-17426 [CRITICAL] CWE-20 Improper Input Validation in Automattic Mongoose Improper Input Validation in Automattic Mongoose Automattic Mongoose through 5.7.4 allows attackers to bypass access control (in some applications) because any query object with a `_bsontype` attribute is ignored. For example, adding `"_bsontype":"a"` can sometimes interfere with a query filter. NOTE: this CVE is about Mongoose's failure to work around this _bsontype special case that exists in older versions of t
ghsaosv
CVE-2026-6985P3HIGHCVSS 7.5≥ 7.0, < 7.21v7.0+20 more2026-04-25
CVE-2026-6985 [HIGH] CWE-404 CVE-2026-6985: A weakness has been identified in Cesanta Mongoose up to 7.20. This vulnerability affects the functi A weakness has been identified in Cesanta Mongoose up to 7.20. This vulnerability affects the function handle_opt of the file /src/net_builtin.c of the component TCP Option Handler. This manipulation of the argument optlen causes infinite loop. The attack is possible to be carried out remotely. The exploit has been made available to the public and could
nvd
CVE-2021-26530P3CRITICALCVSS 9.1v7.02021-02-08
CVE-2021-26530 [CRITICAL] CWE-787 CVE-2021-26530: The mg_tls_init function in Cesanta Mongoose HTTPS server 7.0 (compiled with OpenSSL support) is vul The mg_tls_init function in Cesanta Mongoose HTTPS server 7.0 (compiled with OpenSSL support) is vulnerable to remote OOB write attack via connection request after exhausting memory pool.
nvd
CVE-2021-26528P3CRITICALCVSS 9.1v7.02021-02-08
CVE-2021-26528 [CRITICAL] CWE-787 CVE-2021-26528: The mg_http_serve_file function in Cesanta Mongoose HTTP server 7.0 is vulnerable to remote OOB writ The mg_http_serve_file function in Cesanta Mongoose HTTP server 7.0 is vulnerable to remote OOB write attack via connection request after exhausting memory pool.
nvd
CVE-2022-25299P3HIGHCVSS 7.5fixed in 7.6≥ unspecified, < 7.62022-02-18
CVE-2022-25299 [HIGH] CWE-552 CVE-2022-25299: This affects the package cesanta/mongoose before 7.6. The unsafe handling of file names during uploa This affects the package cesanta/mongoose before 7.6. The unsafe handling of file names during upload using mg_http_upload() method may enable attackers to write files to arbitrary locations outside the designated target folder.
nvd
CVE-2020-25887P3HIGHCVSS 8.8v6.182023-08-22
CVE-2020-25887 [HIGH] CWE-120 CVE-2020-25887: Buffer overflow in mg_resolve_from_hosts_file in Mongoose 6.18, when reading from a crafted hosts fi Buffer overflow in mg_resolve_from_hosts_file in Mongoose 6.18, when reading from a crafted hosts file.
nvd
CVE-2017-2895P3HIGHCVSS 8.2v6.82017-11-07
CVE-2017-2895 [HIGH] CWE-125 CVE-2017-2895: An exploitable arbitrary memory read vulnerability exists in the MQTT packet parsing functionality o An exploitable arbitrary memory read vulnerability exists in the MQTT packet parsing functionality of Cesanta Mongoose 6.8. A specially crafted MQTT SUBSCRIBE packet can cause an arbitrary out-of-bounds memory read potentially resulting in information disclosure and denial of service. An attacker needs to send a specially crafted MQTT packet over the ne
nvd
CVE-2026-42334P3HIGH≥ 0, < 6.13.9≥ 7.0.0, < 7.8.9+2 more2026-05-05
CVE-2026-42334 [HIGH] CWE-74 Mongoose's Improper Sanitization of $nor in sanitizeFilter May Allow NoSQL Injection Mongoose's Improper Sanitization of $nor in sanitizeFilter May Allow NoSQL Injection ### Impact This vulnerability allows bypassing Mongoose’s sanitizeFilter query sanitization mechanism via the `$nor` operator. When sanitizeFilter is enabled, Mongoose wraps query operators in `$eq` to neutralize them. However, prior to the fix, `$nor` was not included in the set of logical operat
ghsa
CVE-2025-51495P3HIGHCVSS 7.5≥ 7.5, ≤ 7.172025-09-29
CVE-2025-51495 [HIGH] CWE-190 CVE-2025-51495: An integer overflow vulnerability exists in the WebSocket component of Mongoose 7.5 thru 7.17. By se An integer overflow vulnerability exists in the WebSocket component of Mongoose 7.5 thru 7.17. By sending a specially crafted WebSocket request, an attacker can cause the application to crash. If downstream vendors integrate this component improperly, the issue may lead to a buffer overflow.
nvd
CVE-2023-34188P3HIGHCVSS 7.5fixed in 7.102023-06-23
CVE-2023-34188 [HIGH] CWE-1284 CVE-2023-34188: The HTTP server in Mongoose before 7.10 accepts requests containing negative Content-Length headers. The HTTP server in Mongoose before 7.10 accepts requests containing negative Content-Length headers. By sending a single attack payload over TCP, an attacker can cause an infinite loop in which the server continuously reparses that payload, and does not respond to any other requests.
nvd
CVE-2024-42386P3HIGHCVSS 7.5≤ 7.142024-11-18
CVE-2024-42386 [HIGH] CWE-823 CVE-2024-42386: Use of Out-of-range Pointer Offset vulnerability in Cesanta Mongoose Web Server v7.14 allows an atta Use of Out-of-range Pointer Offset vulnerability in Cesanta Mongoose Web Server v7.14 allows an attacker to send an unexpected TLS packet and produce a segmentation fault on the application.
nvd
CVE-2017-2909P3HIGHCVSS 7.5v6.82017-11-07
CVE-2017-2909 [HIGH] CWE-835 CVE-2017-2909: An infinite loop programming error exists in the DNS server functionality of Cesanta Mongoose 6.8 li An infinite loop programming error exists in the DNS server functionality of Cesanta Mongoose 6.8 library. A specially crafted DNS request can cause an infinite loop resulting in high CPU usage and Denial Of Service. An attacker can send a packet over the network to trigger this vulnerability.
nvd
CVE-2024-42384P3HIGHCVSS 7.5≤ 7.142024-11-18
CVE-2024-42384 [HIGH] CWE-190 CVE-2024-42384: Integer Overflow or Wraparound vulnerability in Cesanta Mongoose Web Server v7.14 allows an attacker Integer Overflow or Wraparound vulnerability in Cesanta Mongoose Web Server v7.14 allows an attacker to send an unexpected TLS packet and produce a segmentation fault on the application.
nvd
CVE-2024-42392P3HIGHCVSS 7.5≤ 7.142024-11-18
CVE-2024-42392 [HIGH] CWE-140 CVE-2024-42392: Improper Neutralization of Delimiters vulnerability in Cesanta Mongoose Web Server v7.14 allows to t Improper Neutralization of Delimiters vulnerability in Cesanta Mongoose Web Server v7.14 allows to trigger an infinite loop bug if the input string contains unexpected characters.
nvd
CVE-2023-3696P3CRITICAL≥ 7.0.0, < 7.3.3≥ 6.0.0, < 6.11.3+1 more2023-07-17
CVE-2023-3696 [CRITICAL] CWE-1321 Mongoose Prototype Pollution vulnerability Mongoose Prototype Pollution vulnerability Prototype Pollution in GitHub repository automattic/mongoose prior to 7.3.3, 6.11.3, and 5.13.20.
ghsaosv
CVE-2019-13503P4HIGHCVSS 7.5v6.152019-07-11
CVE-2019-13503 [HIGH] CWE-125 CVE-2019-13503: mq_parse_http in mongoose.c in Mongoose 6.15 has a heap-based buffer over-read. mq_parse_http in mongoose.c in Mongoose 6.15 has a heap-based buffer over-read.
nvd
Cesanta Mongoose vulnerabilities | cvebase