Debian Civetweb vulnerabilities

CVE-2025-9648 [HIGH] CVE-2025-9648: civetweb - A vulnerability in the CivetWeb library's function mg_handle_form_request allows... A vulnerability in the CivetWeb library's function mg_handle_form_request allows remote attackers to trigger a denial of service (DoS) condition. By sending a specially crafted HTTP POST request containing a null byte in the payload, the server enters an infinite loop during form data parsing. Multiple malicious requests will result in complete CPU exhaustion and ren

CVE-2025-55763 [HIGH] CVE-2025-55763: civetweb - Buffer Overflow in the URI parser of CivetWeb 1.14 through 1.16 (latest) allows ... Buffer Overflow in the URI parser of CivetWeb 1.14 through 1.16 (latest) allows a remote attacker to achieve remote code execution via a crafted HTTP request. This vulnerability is triggered during request processing and may allow an attacker to corrupt heap memory, potentially leading to denial of service or arbitrary code execution. Scope: local bookworm: open bu

CVE-2020-27304 [CRITICAL] CVE-2020-27304: civetweb - The CivetWeb web library does not validate uploaded filepaths when running on an... The CivetWeb web library does not validate uploaded filepaths when running on an OS other than Windows, when using the built-in HTTP form-based file upload mechanism, via the mg_handle_form_request API. Web applications that use the file upload form handler, and use parts of the user-controlled filename in the output path, are susceptible to directory traversal

CVE-2018-12684 [HIGH] CVE-2018-12684: civetweb - Out-of-bounds Read in the send_ssi_file function in civetweb.c in CivetWeb throu... Out-of-bounds Read in the send_ssi_file function in civetweb.c in CivetWeb through 1.10 allows attackers to cause a Denial of Service or Information Disclosure via a crafted SSI file. Scope: local bookworm: resolved bullseye: resolved forky: resolved sid: resolved trixie: resolved