PT-2025-39825 · Civetweb+1 · Civetweb+1
Artur Łącki
·
Published
2025-09-29
·
Updated
2025-10-02
·
CVE-2025-9648
CVSS v4.0
8.7
High
| Vector | AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
Name of the Vulnerable Software and Affected Versions
CivetWeb versions prior to 1.08
Description
A flaw in the
mg handle form request function within the CivetWeb library can be exploited to cause a denial of service (DoS) condition. Sending a specially crafted HTTP POST request with a null byte in the payload causes the server to enter an infinite loop during form data parsing, leading to CPU exhaustion and service unresponsiveness. Multiple malicious requests can completely exhaust CPU resources.Recommendations
Update to CivetWeb version 1.08 or later.
Fix
DoS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Civetweb
Debian