cbcvebase.

Cesanta Mongoose vulnerabilities

54 known vulnerabilities affecting cesanta/mongoose.

Total CVEs
54
CISA KEV
0
Public exploits
2
Exploited in wild
1
Severity breakdown
CRITICAL23HIGH20MEDIUM7LOW4

Vulnerabilities

Page 3 of 3
CVE-2018-10945P4HIGHCVSS 7.5v6.112018-06-19
CVE-2018-10945 [HIGH] CWE-125 CVE-2018-10945: The mg_handle_cgi function in mongoose.c in Mongoose 6.11 allows remote attackers to cause a denial The mg_handle_cgi function in mongoose.c in Mongoose 6.11 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash, or NULL pointer dereference) via an HTTP request, related to the mbuf_insert function.
nvd
CVE-2024-42385P4HIGHCVSS 7.0≤ 7.142024-11-18
CVE-2024-42385 [HIGH] CWE-140 CVE-2024-42385: Improper Neutralization of Delimiters vulnerability in Cesanta Mongoose Web Server v7.14 allows to t Improper Neutralization of Delimiters vulnerability in Cesanta Mongoose Web Server v7.14 allows to trigger an out-of-bound memory write if the PEM certificate contains unexpected characters.
nvd
CVE-2024-42389P4MEDIUMCVSS 5.3≤ 7.142024-11-18
CVE-2024-42389 [MEDIUM] CWE-823 CVE-2024-42389: Use of Out-of-range Pointer Offset vulnerability in Cesanta Mongoose Web Server v7.14 allows an atta Use of Out-of-range Pointer Offset vulnerability in Cesanta Mongoose Web Server v7.14 allows an attacker to send an unexpected TLS packet and force the application to read unintended heap memory space.
nvd
CVE-2024-42388P4MEDIUMCVSS 5.3≤ 7.142024-11-18
CVE-2024-42388 [MEDIUM] CWE-823 CVE-2024-42388: Use of Out-of-range Pointer Offset vulnerability in Cesanta Mongoose Web Server v7.14 allows an atta Use of Out-of-range Pointer Offset vulnerability in Cesanta Mongoose Web Server v7.14 allows an attacker to send an unexpected TLS packet and force the application to read unintended heap memory space.
nvd
CVE-2024-42387P4MEDIUMCVSS 5.3≤ 7.142024-11-18
CVE-2024-42387 [MEDIUM] CWE-823 CVE-2024-42387: Use of Out-of-range Pointer Offset vulnerability in Cesanta Mongoose Web Server v7.14 allows an atta Use of Out-of-range Pointer Offset vulnerability in Cesanta Mongoose Web Server v7.14 allows an attacker to send an unexpected TLS packet and force the application to read unintended heap memory space.
nvd
CVE-2024-42391P4MEDIUMCVSS 5.3≤ 7.142024-11-18
CVE-2024-42391 [MEDIUM] CWE-823 CVE-2024-42391: Use of Out-of-range Pointer Offset vulnerability in Cesanta Mongoose Web Server v7.14 allows an atta Use of Out-of-range Pointer Offset vulnerability in Cesanta Mongoose Web Server v7.14 allows an attacker to send an unexpected TLS packet and force the application to read unintended heap memory space.
nvd
CVE-2024-42390P4MEDIUMCVSS 5.3≤ 7.142024-11-18
CVE-2024-42390 [MEDIUM] CWE-823 CVE-2024-42390: Use of Out-of-range Pointer Offset vulnerability in Cesanta Mongoose Web Server v7.14 allows an atta Use of Out-of-range Pointer Offset vulnerability in Cesanta Mongoose Web Server v7.14 allows an attacker to send an unexpected TLS packet and force the application to read unintended heap memory space.
nvd
CVE-2018-19587P4MEDIUMCVSS 6.5v6.132018-11-27
CVE-2018-19587 [MEDIUM] CWE-119 CVE-2018-19587: In Cesanta Mongoose 6.13, a SIGSEGV exists in the mongoose.c mg_mqtt_add_session() function. In Cesanta Mongoose 6.13, a SIGSEGV exists in the mongoose.c mg_mqtt_add_session() function.
nvd
CVE-2026-2967P4LOWCVSS 3.7≤ 7.20v7.0+20 more2026-02-23
CVE-2026-2967 [LOW] CWE-940 CVE-2026-2967: A security vulnerability has been detected in Cesanta Mongoose up to 7.20. This affects the function A security vulnerability has been detected in Cesanta Mongoose up to 7.20. This affects the function getpeer of the file /src/net_builtin.c of the component TCP Sequence Number Handler. The manipulation leads to improper verification of source of a communication channel. The attack may be initiated remotely. The attack's complexity is rated as high. The
nvd
CVE-2026-2966P4LOWCVSS 3.7≤ 7.20v7.0+20 more2026-02-23
CVE-2026-2966 [LOW] CWE-310 CVE-2026-2966: A weakness has been identified in Cesanta Mongoose up to 7.20. The impacted element is the function A weakness has been identified in Cesanta Mongoose up to 7.20. The impacted element is the function mg_sendnsreq of the file /src/dns.c of the component DNS Transaction ID Handler. Executing a manipulation of the argument random can lead to insufficiently random values. The attack can be launched remotely. The attack requires a high level of complexity. T
nvd
CVE-2025-65502P4MEDIUMCVSS 4.3fixed in 7.22025-11-24
CVE-2025-65502 [MEDIUM] CWE-476 CVE-2025-65502: Null pointer dereference in add_ca_certs() in Cesanta Mongoose before 7.2 allows remote attackers to Null pointer dereference in add_ca_certs() in Cesanta Mongoose before 7.2 allows remote attackers to cause a denial of service via TLS initialization where SSL_CTX_get_cert_store() returns NULL.
nvd
CVE-2026-2968P4LOWCVSS 3.7≤ 7.20v7.0+20 more2026-02-23
CVE-2026-2968 [LOW] CWE-345 CVE-2026-2968: A vulnerability was detected in Cesanta Mongoose up to 7.20. This impacts the function mg_chacha20_p A vulnerability was detected in Cesanta Mongoose up to 7.20. This impacts the function mg_chacha20_poly1305_decrypt of the file /src/tls_chacha20.c of the component Poly1305 Authentication Tag Handler. The manipulation results in improper verification of cryptographic signature. The attack may be launched remotely. This attack is characterized by high co
nvd
CVE-2026-6986P4LOWCVSS 3.7≥ 7.0, < 7.21v7.0+20 more2026-04-25
CVE-2026-6986 [LOW] CWE-345 CVE-2026-6986: A security vulnerability has been detected in Cesanta Mongoose up to 7.20. This issue affects the fu A security vulnerability has been detected in Cesanta Mongoose up to 7.20. This issue affects the function mg_aes_gcm_decrypt of the file /src/tls_aes128.c of the component GCM Authentication Tag Handler. Such manipulation leads to improper verification of cryptographic signature. The attack may be performed from remote. A high complexity level is associ
nvd
CVE-2022-24304CRITICAL≥ 6.0.0, < 6.4.6≥ 0, < 5.13.152022-08-27
CVE-2022-24304 [CRITICAL] CWE-1321 Mongoose Vulnerable to Prototype Pollution in Schema Object Mongoose Vulnerable to Prototype Pollution in Schema Object ### Description Mongoose is a MongoDB object modeling tool designed to work in an asynchronous environment. Affected versions of this package are vulnerable to Prototype Pollution. The `Schema.path()` function is vulnerable to prototype pollution when setting the `schema` object. This vulnerability allows modification of the Object prototype
ghsaosv
Cesanta Mongoose vulnerabilities | cvebase