Cesanta Cesanta

Don't miss out!

Thousands of developers use stack.watch to stay informed.
Get an email whenever new security vulnerabilities are reported in any Cesanta product.

RSS Feeds for Cesanta security vulnerabilities

Create a CVE RSS feed including security vulnerabilities found in Cesanta products with stack.watch. Just hit watch, then grab your custom RSS feed url.

Products by Cesanta Sorted by Most Security Vulnerabilities since 2018

Cesanta Mjs84 vulnerabilities

Cesanta Mongoose37 vulnerabilities

Cesanta Mongoose Os1 vulnerability

Cesanta Mongooseos Mjs1 vulnerability

By the Year

In 2025 there have been 0 vulnerabilities in Cesanta. Last year, in 2024 Cesanta had 18 security vulnerabilities published. Right now, Cesanta is on track to have less security vulnerabilities in 2025 than it did last year.




Year Vulnerabilities Average Score
2025 0 0.00
2024 18 6.89
2023 11 7.06
2022 59 6.07
2021 15 6.51
2020 1 9.80
2019 8 9.39
2018 4 8.05

It may take a day or so for new Cesanta vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.

Recent Cesanta Security Vulnerabilities

Cesanta Mongoose Web Server: Out-of-range Pointer Offset Vulnerability

CVE-2024-42383 9.8 - Critical - November 18, 2024

Use of Out-of-range Pointer Offset vulnerability in Cesanta Mongoose Web Server v7.14 allows to write a NULL byte value beyond the memory space dedicated for the hostname field.

Untrusted pointer offset

Cesanta Mongoose Web Server v7.14 TLS Packet Handling Integer Overflow Vulnerability

CVE-2024-42384 7.5 - High - November 18, 2024

Integer Overflow or Wraparound vulnerability in Cesanta Mongoose Web Server v7.14 allows an attacker to send an unexpected TLS packet and produce a segmentation fault on the application.

Integer Overflow or Wraparound

Cesanta Mongoose Web Server: Improper Neutralization of Delimiters Leading to Out-of-Bounds Memory W

CVE-2024-42385 7 - High - November 18, 2024

Improper Neutralization of Delimiters vulnerability in Cesanta Mongoose Web Server v7.14 allows to trigger an out-of-bound memory write if the PEM certificate contains unexpected characters.

Improper Neutralization of Delimiters

Cesanta Mongoose Web Server: Use of Out-of-range Pointer Offset in TLS Handling

CVE-2024-42386 7.5 - High - November 18, 2024

Use of Out-of-range Pointer Offset vulnerability in Cesanta Mongoose Web Server v7.14 allows an attacker to send an unexpected TLS packet and produce a segmentation fault on the application.

Untrusted pointer offset

Cesanta Mongoose Web Server: Use of Out-of-range Pointer Offset Vulnerability

CVE-2024-42387 5.3 - Medium - November 18, 2024

Use of Out-of-range Pointer Offset vulnerability in Cesanta Mongoose Web Server v7.14 allows an attacker to send an unexpected TLS packet and force the application to read unintended heap memory space.

Untrusted pointer offset

Cesanta Mongoose Web Server: Out-of-range Pointer Offset Vulnerability in TLS Handling

CVE-2024-42388 5.3 - Medium - November 18, 2024

Use of Out-of-range Pointer Offset vulnerability in Cesanta Mongoose Web Server v7.14 allows an attacker to send an unexpected TLS packet and force the application to read unintended heap memory space.

Untrusted pointer offset

Cesanta Mongoose Web Server: Use of Out-of-range Pointer Offset Vulnerability

CVE-2024-42389 5.3 - Medium - November 18, 2024

Use of Out-of-range Pointer Offset vulnerability in Cesanta Mongoose Web Server v7.14 allows an attacker to send an unexpected TLS packet and force the application to read unintended heap memory space.

Untrusted pointer offset

Cesanta Mongoose Web Server: Out-of-range Pointer Offset Vulnerability in TLS Handling

CVE-2024-42390 5.3 - Medium - November 18, 2024

Use of Out-of-range Pointer Offset vulnerability in Cesanta Mongoose Web Server v7.14 allows an attacker to send an unexpected TLS packet and force the application to read unintended heap memory space.

Untrusted pointer offset

Cesanta Mongoose Web Server: Out-of-range Pointer Offset Vulnerability in TLS Handling

CVE-2024-42391 5.3 - Medium - November 18, 2024

Use of Out-of-range Pointer Offset vulnerability in Cesanta Mongoose Web Server v7.14 allows an attacker to send an unexpected TLS packet and force the application to read unintended heap memory space.

Untrusted pointer offset

Cesanta Mongoose Web Server: Improper Neutralization of Delimiters Leading to Infinite Loop

CVE-2024-42392 7.5 - High - November 18, 2024

Improper Neutralization of Delimiters vulnerability in Cesanta Mongoose Web Server v7.14 allows to trigger an infinite loop bug if the input string contains unexpected characters.

Improper Neutralization of Delimiters

An issue in Cesanta mjs 2.20.0

CVE-2024-35384 - May 21, 2024

An issue in Cesanta mjs 2.20.0 allows a remote attacker to cause a denial of service via the mjs_array_length function in the mjs.c file.

An issue in Cesanta mjs 2.20.0

CVE-2024-35385 - May 21, 2024

An issue in Cesanta mjs 2.20.0 allows a remote attacker to cause a denial of service via the mjs_mk_ffi_sig function in the mjs.c file.

An issue in Cesanta mjs 2.20.0

CVE-2024-35386 - May 21, 2024

An issue in Cesanta mjs 2.20.0 allows a remote attacker to cause a denial of service via the mjs_do_gc function in the mjs.c file.

An issue in Cesanta mjs 2.20.0

CVE-2023-49549 7.5 - High - January 02, 2024

An issue in Cesanta mjs 2.20.0 allows a remote attacker to cause a denial of service via the mjs_getretvalpos function in the msj.c file.

An Out of Bounds Write in Cesanta mjs 2.20.0

CVE-2023-49552 7.5 - High - January 02, 2024

An Out of Bounds Write in Cesanta mjs 2.20.0 allows a remote attacker to cause a denial of service via the mjs_op_json_stringify function in the msj.c file.

Out-of-bounds Read

An issue in Cesanta mjs 2.20.0

CVE-2023-49553 7.5 - High - January 02, 2024

An issue in Cesanta mjs 2.20.0 allows a remote attacker to cause a denial of service via the mjs_destroy function in the msj.c file.

An issue in Cesanta mjs 2.20.0

CVE-2023-49550 7.5 - High - January 02, 2024

An issue in Cesanta mjs 2.20.0 allows a remote attacker to cause a denial of service via the mjs+0x4ec508 component.

An issue in Cesanta mjs 2.20.0

CVE-2023-49551 7.5 - High - January 02, 2024

An issue in Cesanta mjs 2.20.0 allows a remote attacker to cause a denial of service via the mjs_op_json_parse function in the msj.c file.

Cesanta MJS 2.20.0 has a getprop_builtin_foreign out-of-bounds read if a Built-in API name occurs in a substring of an input string.

CVE-2023-50044 9.8 - Critical - December 20, 2023

Cesanta MJS 2.20.0 has a getprop_builtin_foreign out-of-bounds read if a Built-in API name occurs in a substring of an input string.

Classic Buffer Overflow

Cesanta mjs v2.20.0 was discovered to contain a function pointer hijacking vulnerability via the function mjs_get_ptr()

CVE-2023-43338 9.8 - Critical - September 23, 2023

Cesanta mjs v2.20.0 was discovered to contain a function pointer hijacking vulnerability via the function mjs_get_ptr(). This vulnerability allows attackers to execute arbitrary code via a crafted input.

Memory Corruption

Buffer overflow in mg_resolve_

CVE-2020-25887 8.8 - High - August 22, 2023

Buffer overflow in mg_resolve_from_hosts_file in Mongoose 6.18, when reading from a crafted hosts file.

Classic Buffer Overflow

Due to a failure in validating the length of a provided MQTT_CMD_PUBLISH parsed message with a variable length header

CVE-2023-2905 8.8 - High - August 09, 2023

Due to a failure in validating the length of a provided MQTT_CMD_PUBLISH parsed message with a variable length header, Cesanta Mongoose, an embeddable web server, version 7.10 is susceptible to a heap-based buffer overflow vulnerability in the default configuration. Version 7.9 and prior does not appear to be vulnerable. This issue is resolved in version 7.11.

Memory Corruption

The HTTP server in Mongoose before 7.10 accepts requests containing negative Content-Length headers

CVE-2023-34188 7.5 - High - June 23, 2023

The HTTP server in Mongoose before 7.10 accepts requests containing negative Content-Length headers. By sending a single attack payload over TCP, an attacker can cause an infinite loop in which the server continuously reparses that payload, and does not respond to any other requests.

Buffer Overflow vulnerability found in Cesanta MJS v.1.26

CVE-2023-30087 5.5 - Medium - May 09, 2023

Buffer Overflow vulnerability found in Cesanta MJS v.1.26 allows a local attacker to cause a denial of service via the mjs_mk_string function in mjs.c.

Memory Corruption

An issue found in Cesanta MJS v.1.26

CVE-2023-30088 5.5 - Medium - May 09, 2023

An issue found in Cesanta MJS v.1.26 allows a local attacker to cause a denial of service via the mjs_execute function in mjs.c.

Buffer Overflow

Cesanta MJS v2.20.0 was discovered to contain a SEGV vulnerability via mjs_ffi_cb_free at src/mjs_ffi.c

CVE-2023-29570 5.5 - Medium - April 24, 2023

Cesanta MJS v2.20.0 was discovered to contain a SEGV vulnerability via mjs_ffi_cb_free at src/mjs_ffi.c. This vulnerability can lead to a Denial of Service (DoS).

Cesanta MJS v2.20.0 was discovered to contain a SEGV vulnerability via ffi_cb_impl_wpwwwww at src/mjs_ffi.c

CVE-2023-29569 5.5 - Medium - April 14, 2023

Cesanta MJS v2.20.0 was discovered to contain a SEGV vulnerability via ffi_cb_impl_wpwwwww at src/mjs_ffi.c. This vulnerability can lead to a Denial of Service (DoS).

Cesanta MJS v2.20.0 was discovered to contain a SEGV vulnerability via gc_sweep at src/mjs_gc.c

CVE-2023-29571 5.5 - Medium - April 12, 2023

Cesanta MJS v2.20.0 was discovered to contain a SEGV vulnerability via gc_sweep at src/mjs_gc.c. This vulnerability can lead to a Denial of Service (DoS).

Buffer Overflow vulnerability in Cesanta mJS 1.26

CVE-2021-36535 5.5 - Medium - February 03, 2023

Buffer Overflow vulnerability in Cesanta mJS 1.26 allows remote attackers to cause a denial of service via crafted .js file to mjs_set_errorf.

Memory Corruption

An issue was discovered in mjs (mJS: Restricted JavaScript engine), ES6 (JavaScript version 6)

CVE-2021-33445 5.5 - Medium - July 26, 2022

An issue was discovered in mjs (mJS: Restricted JavaScript engine), ES6 (JavaScript version 6). There is NULL pointer dereference in mjs_string_char_code_at() in mjs.c.

NULL Pointer Dereference

An issue was discovered in mjs (mJS: Restricted JavaScript engine), ES6 (JavaScript version 6)

CVE-2021-33449 5.5 - Medium - July 26, 2022

An issue was discovered in mjs (mJS: Restricted JavaScript engine), ES6 (JavaScript version 6). There is NULL pointer dereference in mjs_bcode_part_get_by_offset() in mjs.c.

NULL Pointer Dereference

An issue was discovered in mjs(mJS: Restricted JavaScript engine), ES6 (JavaScript version 6)

CVE-2021-33448 5.5 - Medium - July 26, 2022

An issue was discovered in mjs(mJS: Restricted JavaScript engine), ES6 (JavaScript version 6). There is stack buffer overflow at 0x7fffe9049390.

Memory Corruption

An issue was discovered in mjs (mJS: Restricted JavaScript engine), ES6 (JavaScript version 6)

CVE-2021-33447 5.5 - Medium - July 26, 2022

An issue was discovered in mjs (mJS: Restricted JavaScript engine), ES6 (JavaScript version 6). There is NULL pointer dereference in mjs_print() in mjs.c.

NULL Pointer Dereference

An issue was discovered in mjs (mJS: Restricted JavaScript engine), ES6 (JavaScript version 6)

CVE-2021-33446 5.5 - Medium - July 26, 2022

An issue was discovered in mjs (mJS: Restricted JavaScript engine), ES6 (JavaScript version 6). There is NULL pointer dereference in mjs_next() in mjs.c.

NULL Pointer Dereference

An issue was discovered in mjs (mJS: Restricted JavaScript engine), ES6 (JavaScript version 6)

CVE-2021-33444 5.5 - Medium - July 26, 2022

An issue was discovered in mjs (mJS: Restricted JavaScript engine), ES6 (JavaScript version 6). There is NULL pointer dereference in getprop_builtin_foreign() in mjs.c.

NULL Pointer Dereference

An issue was discovered in mjs (mJS: Restricted JavaScript engine), ES6 (JavaScript version 6)

CVE-2021-33443 5.5 - Medium - July 26, 2022

An issue was discovered in mjs (mJS: Restricted JavaScript engine), ES6 (JavaScript version 6). There is stack buffer overflow in mjs_execute() in mjs.c.

Memory Corruption

An issue was discovered in mjs (mJS: Restricted JavaScript engine), ES6 (JavaScript version 6)

CVE-2021-33441 5.5 - Medium - July 26, 2022

An issue was discovered in mjs (mJS: Restricted JavaScript engine), ES6 (JavaScript version 6). There is NULL pointer dereference in exec_expr() in mjs.c.

NULL Pointer Dereference

An issue was discovered in mjs (mJS: Restricted JavaScript engine), ES6 (JavaScript version 6)

CVE-2021-33442 5.5 - Medium - July 26, 2022

An issue was discovered in mjs (mJS: Restricted JavaScript engine), ES6 (JavaScript version 6). There is NULL pointer dereference in json_printf() in mjs.c.

NULL Pointer Dereference

An issue was discovered in mjs (mJS: Restricted JavaScript engine), ES6 (JavaScript version 6)

CVE-2021-33440 5.5 - Medium - July 26, 2022

An issue was discovered in mjs (mJS: Restricted JavaScript engine), ES6 (JavaScript version 6). There is NULL pointer dereference in mjs_bcode_commit() in mjs.c.

NULL Pointer Dereference

An issue was discovered in mjs (mJS: Restricted JavaScript engine), ES6 (JavaScript version 6)

CVE-2021-33439 5.5 - Medium - July 26, 2022

An issue was discovered in mjs (mJS: Restricted JavaScript engine), ES6 (JavaScript version 6). There is Integer overflow in gc_compact_strings() in mjs.c.

Integer Overflow or Wraparound

An issue was discovered in mjs (mJS: Restricted JavaScript engine), ES6 (JavaScript version 6)

CVE-2021-33438 5.5 - Medium - July 26, 2022

An issue was discovered in mjs (mJS: Restricted JavaScript engine), ES6 (JavaScript version 6). There is stack buffer overflow in json_parse_array() in mjs.c.

Memory Corruption

An issue was discovered in mjs (mJS: Restricted JavaScript engine), ES6 (JavaScript version 6)

CVE-2021-33437 5.5 - Medium - July 26, 2022

An issue was discovered in mjs (mJS: Restricted JavaScript engine), ES6 (JavaScript version 6). There are memory leaks in frozen_cb() in mjs.c.

Memory Leak

Cesanta Software Mongoose-OS v2.17.0 is vulnerable to integer wrap-around in function mm_malloc

CVE-2021-27425 9.8 - Critical - May 03, 2022

Cesanta Software Mongoose-OS v2.17.0 is vulnerable to integer wrap-around in function mm_malloc. This improper memory assignment can lead to arbitrary memory allocation, resulting in unexpected behavior such as a crash or a remote code injection/execution.

Integer Overflow or Wraparound

This affects the package cesanta/mongoose before 7.6

CVE-2022-25299 7.5 - High - February 18, 2022

This affects the package cesanta/mongoose before 7.6. The unsafe handling of file names during upload using mg_http_upload() method may enable attackers to write files to arbitrary locations outside the designated target folder.

Files or Directories Accessible to External Parties

Cesanta MJS v2.20.0 was discovered to contain a stack overflow

CVE-2021-46509 7.8 - High - January 27, 2022

Cesanta MJS v2.20.0 was discovered to contain a stack overflow via snquote at mjs/src/mjs_json.c.

Stack Exhaustion

Cesanta MJS v2.20.0 was discovered to contain a heap buffer overflow

CVE-2021-46520 7.8 - High - January 27, 2022

Cesanta MJS v2.20.0 was discovered to contain a heap buffer overflow via mjs_jprintf at src/mjs_util.c.

Memory Corruption

Cesanta MJS v2.20.0 was discovered to contain a SEGV vulnerability via mjs_apply at src/mjs_exec.c

CVE-2021-46512 5.5 - Medium - January 27, 2022

Cesanta MJS v2.20.0 was discovered to contain a SEGV vulnerability via mjs_apply at src/mjs_exec.c. This vulnerability can lead to a Denial of Service (DoS).

Cesanta MJS v2.20.0 was discovered to contain a SEGV vulnerability via mjs_stack_size at mjs/src/mjs_core.c

CVE-2021-46516 5.5 - Medium - January 27, 2022

Cesanta MJS v2.20.0 was discovered to contain a SEGV vulnerability via mjs_stack_size at mjs/src/mjs_core.c. This vulnerability can lead to a Denial of Service (DoS).

Cesanta MJS v2.20.0 was discovered to contain a heap buffer overflow

CVE-2021-46518 7.8 - High - January 27, 2022

Cesanta MJS v2.20.0 was discovered to contain a heap buffer overflow via mjs_disown at src/mjs_core.c.

Memory Corruption

Cesanta MJS v2.20.0 was discovered to contain a heap buffer overflow

CVE-2021-46519 7.8 - High - January 27, 2022

Cesanta MJS v2.20.0 was discovered to contain a heap buffer overflow via mjs_array_length at src/mjs_array.c.

Memory Corruption

Built by Foundeo Inc., with data from the National Vulnerability Database (NVD). Privacy Policy. Use of this site is governed by the Legal Terms
Disclaimer
CONTENT ON THIS WEBSITE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. Always check with your vendor for the most up to date, and accurate information.