Cesanta: >> Mongoose >> 7.3 Security Vulnerabilities
The HTTP server in Mongoose before 7.10 accepts requests containing negative Content-Length headers. By sending a single attack payload over TCP, an attacker can cause an infinite loop in which the server continuously reparses that payload, and does not respond to any other requests.
CVSS Score
7.5
EPSS Score
0.001
Published
2023-06-23
This affects the package cesanta/mongoose before 7.6. The unsafe handling of file names during upload using mg_http_upload() method may enable attackers to write files to arbitrary locations outside the designated target folder.
CVSS Score
9.8
EPSS Score
0.004
Published
2022-02-18
Page 2