Mongoose Web Server Denial-of-Service Vulnerability

A denial-of-service vulnerability has been identified in Mongoose Web Server version 6.9. This vulnerability allows remote attackers to crash the service by establishing multiple socket connections. Attackers can repeatedly create connections to the default port and send malformed data, exhausting server resources and causing service unavailability.

Impact

Exploitation of this vulnerability leads to a crash of the web server, causing a denial-of-service condition where the service becomes unavailable to users.

Reproduction

The vulnerability can be reproduced by sending multiple socket connections to the default port of the Mongoose Web Server. Once the connections are established, malformed data can be sent to exhaust server resources. This can be automated with a simple script that creates multiple connections and sends data, similar to the proof-of-concept available on Exploit Database.