Mongoose WebSocket Component Integer Overflow Vulnerability

An integer overflow vulnerability has been identified in the WebSocket component of Mongoose versions 7.5 through 7.17. This vulnerability allows an attacker to send a specially crafted WebSocket request that can cause the application to crash. In cases where downstream vendors improperly integrate this component, the vulnerability could lead to a buffer overflow.

Impact

Exploitation of this vulnerability causes the application to crash. However, in cases of improper integration by downstream vendors, it could lead to a buffer overflow, with potential consequences such as memory corruption or arbitrary code execution.

Reproduction

The vulnerability can be reproduced by using the WebSocket server example included with Mongoose. After compiling the server with AddressSanitizer (ASAN) checks, the server can be run and a specific WebSocket packet can be sent from a modified WebSocket client. This packet will trigger the integer overflow vulnerability, causing the server to crash.

Remediation

Users can update to Mongoose version 7.19, where this vulnerability has been addressed.