Cesanta
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in any Cesanta product.
RSS Feeds for Cesanta security vulnerabilities
Create a CVE RSS feed including security vulnerabilities found in Cesanta products with stack.watch. Just hit watch, then grab your custom RSS feed url.
Products by Cesanta Sorted by Most Security Vulnerabilities since 2018
By the Year
In 2025 there have been 0 vulnerabilities in Cesanta. Last year, in 2024 Cesanta had 18 security vulnerabilities published. Right now, Cesanta is on track to have less security vulnerabilities in 2025 than it did last year.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2025 | 0 | 0.00 |
| 2024 | 18 | 6.89 |
| 2023 | 11 | 7.06 |
| 2022 | 59 | 6.07 |
| 2021 | 15 | 6.51 |
| 2020 | 1 | 9.80 |
| 2019 | 8 | 9.39 |
| 2018 | 4 | 8.05 |
It may take a day or so for new Cesanta vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Cesanta Security Vulnerabilities
Cesanta Mongoose Web Server: Out-of-range Pointer Offset Vulnerability
CVE-2024-42383
9.8 - Critical
- November 18, 2024
Use of Out-of-range Pointer Offset vulnerability in Cesanta Mongoose Web Server v7.14 allows to write a NULL byte value beyond the memory space dedicated for the hostname field.
Untrusted pointer offset
Cesanta Mongoose Web Server v7.14 TLS Packet Handling Integer Overflow Vulnerability
CVE-2024-42384
7.5 - High
- November 18, 2024
Integer Overflow or Wraparound vulnerability in Cesanta Mongoose Web Server v7.14 allows an attacker to send an unexpected TLS packet and produce a segmentation fault on the application.
Integer Overflow or Wraparound
Cesanta Mongoose Web Server: Improper Neutralization of Delimiters Leading to Out-of-Bounds Memory W
CVE-2024-42385
7 - High
- November 18, 2024
Improper Neutralization of Delimiters vulnerability in Cesanta Mongoose Web Server v7.14 allows to trigger an out-of-bound memory write if the PEM certificate contains unexpected characters.
Improper Neutralization of Delimiters
Cesanta Mongoose Web Server: Use of Out-of-range Pointer Offset in TLS Handling
CVE-2024-42386
7.5 - High
- November 18, 2024
Use of Out-of-range Pointer Offset vulnerability in Cesanta Mongoose Web Server v7.14 allows an attacker to send an unexpected TLS packet and produce a segmentation fault on the application.
Untrusted pointer offset
Cesanta Mongoose Web Server: Use of Out-of-range Pointer Offset Vulnerability
CVE-2024-42387
5.3 - Medium
- November 18, 2024
Use of Out-of-range Pointer Offset vulnerability in Cesanta Mongoose Web Server v7.14 allows an attacker to send an unexpected TLS packet and force the application to read unintended heap memory space.
Untrusted pointer offset
Cesanta Mongoose Web Server: Out-of-range Pointer Offset Vulnerability in TLS Handling
CVE-2024-42388
5.3 - Medium
- November 18, 2024
Use of Out-of-range Pointer Offset vulnerability in Cesanta Mongoose Web Server v7.14 allows an attacker to send an unexpected TLS packet and force the application to read unintended heap memory space.
Untrusted pointer offset
Cesanta Mongoose Web Server: Use of Out-of-range Pointer Offset Vulnerability
CVE-2024-42389
5.3 - Medium
- November 18, 2024
Use of Out-of-range Pointer Offset vulnerability in Cesanta Mongoose Web Server v7.14 allows an attacker to send an unexpected TLS packet and force the application to read unintended heap memory space.
Untrusted pointer offset
Cesanta Mongoose Web Server: Out-of-range Pointer Offset Vulnerability in TLS Handling
CVE-2024-42390
5.3 - Medium
- November 18, 2024
Use of Out-of-range Pointer Offset vulnerability in Cesanta Mongoose Web Server v7.14 allows an attacker to send an unexpected TLS packet and force the application to read unintended heap memory space.
Untrusted pointer offset
Cesanta Mongoose Web Server: Out-of-range Pointer Offset Vulnerability in TLS Handling
CVE-2024-42391
5.3 - Medium
- November 18, 2024
Use of Out-of-range Pointer Offset vulnerability in Cesanta Mongoose Web Server v7.14 allows an attacker to send an unexpected TLS packet and force the application to read unintended heap memory space.
Untrusted pointer offset
Cesanta Mongoose Web Server: Improper Neutralization of Delimiters Leading to Infinite Loop
CVE-2024-42392
7.5 - High
- November 18, 2024
Improper Neutralization of Delimiters vulnerability in Cesanta Mongoose Web Server v7.14 allows to trigger an infinite loop bug if the input string contains unexpected characters.
Improper Neutralization of Delimiters
An issue in Cesanta mjs 2.20.0
CVE-2024-35384
- May 21, 2024
An issue in Cesanta mjs 2.20.0 allows a remote attacker to cause a denial of service via the mjs_array_length function in the mjs.c file.
An issue in Cesanta mjs 2.20.0
CVE-2024-35385
- May 21, 2024
An issue in Cesanta mjs 2.20.0 allows a remote attacker to cause a denial of service via the mjs_mk_ffi_sig function in the mjs.c file.
An issue in Cesanta mjs 2.20.0
CVE-2024-35386
- May 21, 2024
An issue in Cesanta mjs 2.20.0 allows a remote attacker to cause a denial of service via the mjs_do_gc function in the mjs.c file.
An issue in Cesanta mjs 2.20.0
CVE-2023-49549
7.5 - High
- January 02, 2024
An issue in Cesanta mjs 2.20.0 allows a remote attacker to cause a denial of service via the mjs_getretvalpos function in the msj.c file.
An Out of Bounds Write in Cesanta mjs 2.20.0
CVE-2023-49552
7.5 - High
- January 02, 2024
An Out of Bounds Write in Cesanta mjs 2.20.0 allows a remote attacker to cause a denial of service via the mjs_op_json_stringify function in the msj.c file.
Out-of-bounds Read
An issue in Cesanta mjs 2.20.0
CVE-2023-49553
7.5 - High
- January 02, 2024
An issue in Cesanta mjs 2.20.0 allows a remote attacker to cause a denial of service via the mjs_destroy function in the msj.c file.
An issue in Cesanta mjs 2.20.0
CVE-2023-49550
7.5 - High
- January 02, 2024
An issue in Cesanta mjs 2.20.0 allows a remote attacker to cause a denial of service via the mjs+0x4ec508 component.
An issue in Cesanta mjs 2.20.0
CVE-2023-49551
7.5 - High
- January 02, 2024
An issue in Cesanta mjs 2.20.0 allows a remote attacker to cause a denial of service via the mjs_op_json_parse function in the msj.c file.
Cesanta MJS 2.20.0 has a getprop_builtin_foreign out-of-bounds read if a Built-in API name occurs in a substring of an input string.
CVE-2023-50044
9.8 - Critical
- December 20, 2023
Cesanta MJS 2.20.0 has a getprop_builtin_foreign out-of-bounds read if a Built-in API name occurs in a substring of an input string.
Classic Buffer Overflow
Cesanta mjs v2.20.0 was discovered to contain a function pointer hijacking vulnerability via the function mjs_get_ptr()
CVE-2023-43338
9.8 - Critical
- September 23, 2023
Cesanta mjs v2.20.0 was discovered to contain a function pointer hijacking vulnerability via the function mjs_get_ptr(). This vulnerability allows attackers to execute arbitrary code via a crafted input.
Memory Corruption
Buffer overflow in mg_resolve_
CVE-2020-25887
8.8 - High
- August 22, 2023
Buffer overflow in mg_resolve_from_hosts_file in Mongoose 6.18, when reading from a crafted hosts file.
Classic Buffer Overflow
Due to a failure in validating the length of a provided MQTT_CMD_PUBLISH parsed message with a variable length header
CVE-2023-2905
8.8 - High
- August 09, 2023
Due to a failure in validating the length of a provided MQTT_CMD_PUBLISH parsed message with a variable length header, Cesanta Mongoose, an embeddable web server, version 7.10 is susceptible to a heap-based buffer overflow vulnerability in the default configuration. Version 7.9 and prior does not appear to be vulnerable. This issue is resolved in version 7.11.
Memory Corruption
The HTTP server in Mongoose before 7.10 accepts requests containing negative Content-Length headers
CVE-2023-34188
7.5 - High
- June 23, 2023
The HTTP server in Mongoose before 7.10 accepts requests containing negative Content-Length headers. By sending a single attack payload over TCP, an attacker can cause an infinite loop in which the server continuously reparses that payload, and does not respond to any other requests.
Buffer Overflow vulnerability found in Cesanta MJS v.1.26
CVE-2023-30087
5.5 - Medium
- May 09, 2023
Buffer Overflow vulnerability found in Cesanta MJS v.1.26 allows a local attacker to cause a denial of service via the mjs_mk_string function in mjs.c.
Memory Corruption
An issue found in Cesanta MJS v.1.26
CVE-2023-30088
5.5 - Medium
- May 09, 2023
An issue found in Cesanta MJS v.1.26 allows a local attacker to cause a denial of service via the mjs_execute function in mjs.c.
Buffer Overflow
Cesanta MJS v2.20.0 was discovered to contain a SEGV vulnerability via mjs_ffi_cb_free at src/mjs_ffi.c
CVE-2023-29570
5.5 - Medium
- April 24, 2023
Cesanta MJS v2.20.0 was discovered to contain a SEGV vulnerability via mjs_ffi_cb_free at src/mjs_ffi.c. This vulnerability can lead to a Denial of Service (DoS).
Cesanta MJS v2.20.0 was discovered to contain a SEGV vulnerability via ffi_cb_impl_wpwwwww at src/mjs_ffi.c
CVE-2023-29569
5.5 - Medium
- April 14, 2023
Cesanta MJS v2.20.0 was discovered to contain a SEGV vulnerability via ffi_cb_impl_wpwwwww at src/mjs_ffi.c. This vulnerability can lead to a Denial of Service (DoS).
Cesanta MJS v2.20.0 was discovered to contain a SEGV vulnerability via gc_sweep at src/mjs_gc.c
CVE-2023-29571
5.5 - Medium
- April 12, 2023
Cesanta MJS v2.20.0 was discovered to contain a SEGV vulnerability via gc_sweep at src/mjs_gc.c. This vulnerability can lead to a Denial of Service (DoS).
Buffer Overflow vulnerability in Cesanta mJS 1.26
CVE-2021-36535
5.5 - Medium
- February 03, 2023
Buffer Overflow vulnerability in Cesanta mJS 1.26 allows remote attackers to cause a denial of service via crafted .js file to mjs_set_errorf.
Memory Corruption
An issue was discovered in mjs (mJS: Restricted JavaScript engine), ES6 (JavaScript version 6)
CVE-2021-33445
5.5 - Medium
- July 26, 2022
An issue was discovered in mjs (mJS: Restricted JavaScript engine), ES6 (JavaScript version 6). There is NULL pointer dereference in mjs_string_char_code_at() in mjs.c.
NULL Pointer Dereference
An issue was discovered in mjs (mJS: Restricted JavaScript engine), ES6 (JavaScript version 6)
CVE-2021-33449
5.5 - Medium
- July 26, 2022
An issue was discovered in mjs (mJS: Restricted JavaScript engine), ES6 (JavaScript version 6). There is NULL pointer dereference in mjs_bcode_part_get_by_offset() in mjs.c.
NULL Pointer Dereference
An issue was discovered in mjs(mJS: Restricted JavaScript engine), ES6 (JavaScript version 6)
CVE-2021-33448
5.5 - Medium
- July 26, 2022
An issue was discovered in mjs(mJS: Restricted JavaScript engine), ES6 (JavaScript version 6). There is stack buffer overflow at 0x7fffe9049390.
Memory Corruption
An issue was discovered in mjs (mJS: Restricted JavaScript engine), ES6 (JavaScript version 6)
CVE-2021-33447
5.5 - Medium
- July 26, 2022
An issue was discovered in mjs (mJS: Restricted JavaScript engine), ES6 (JavaScript version 6). There is NULL pointer dereference in mjs_print() in mjs.c.
NULL Pointer Dereference
An issue was discovered in mjs (mJS: Restricted JavaScript engine), ES6 (JavaScript version 6)
CVE-2021-33446
5.5 - Medium
- July 26, 2022
An issue was discovered in mjs (mJS: Restricted JavaScript engine), ES6 (JavaScript version 6). There is NULL pointer dereference in mjs_next() in mjs.c.
NULL Pointer Dereference
An issue was discovered in mjs (mJS: Restricted JavaScript engine), ES6 (JavaScript version 6)
CVE-2021-33444
5.5 - Medium
- July 26, 2022
An issue was discovered in mjs (mJS: Restricted JavaScript engine), ES6 (JavaScript version 6). There is NULL pointer dereference in getprop_builtin_foreign() in mjs.c.
NULL Pointer Dereference
An issue was discovered in mjs (mJS: Restricted JavaScript engine), ES6 (JavaScript version 6)
CVE-2021-33443
5.5 - Medium
- July 26, 2022
An issue was discovered in mjs (mJS: Restricted JavaScript engine), ES6 (JavaScript version 6). There is stack buffer overflow in mjs_execute() in mjs.c.
Memory Corruption
An issue was discovered in mjs (mJS: Restricted JavaScript engine), ES6 (JavaScript version 6)
CVE-2021-33441
5.5 - Medium
- July 26, 2022
An issue was discovered in mjs (mJS: Restricted JavaScript engine), ES6 (JavaScript version 6). There is NULL pointer dereference in exec_expr() in mjs.c.
NULL Pointer Dereference
An issue was discovered in mjs (mJS: Restricted JavaScript engine), ES6 (JavaScript version 6)
CVE-2021-33442
5.5 - Medium
- July 26, 2022
An issue was discovered in mjs (mJS: Restricted JavaScript engine), ES6 (JavaScript version 6). There is NULL pointer dereference in json_printf() in mjs.c.
NULL Pointer Dereference
An issue was discovered in mjs (mJS: Restricted JavaScript engine), ES6 (JavaScript version 6)
CVE-2021-33440
5.5 - Medium
- July 26, 2022
An issue was discovered in mjs (mJS: Restricted JavaScript engine), ES6 (JavaScript version 6). There is NULL pointer dereference in mjs_bcode_commit() in mjs.c.
NULL Pointer Dereference
An issue was discovered in mjs (mJS: Restricted JavaScript engine), ES6 (JavaScript version 6)
CVE-2021-33439
5.5 - Medium
- July 26, 2022
An issue was discovered in mjs (mJS: Restricted JavaScript engine), ES6 (JavaScript version 6). There is Integer overflow in gc_compact_strings() in mjs.c.
Integer Overflow or Wraparound
An issue was discovered in mjs (mJS: Restricted JavaScript engine), ES6 (JavaScript version 6)
CVE-2021-33438
5.5 - Medium
- July 26, 2022
An issue was discovered in mjs (mJS: Restricted JavaScript engine), ES6 (JavaScript version 6). There is stack buffer overflow in json_parse_array() in mjs.c.
Memory Corruption
An issue was discovered in mjs (mJS: Restricted JavaScript engine), ES6 (JavaScript version 6)
CVE-2021-33437
5.5 - Medium
- July 26, 2022
An issue was discovered in mjs (mJS: Restricted JavaScript engine), ES6 (JavaScript version 6). There are memory leaks in frozen_cb() in mjs.c.
Memory Leak
Cesanta Software Mongoose-OS v2.17.0 is vulnerable to integer wrap-around in function mm_malloc
CVE-2021-27425
9.8 - Critical
- May 03, 2022
Cesanta Software Mongoose-OS v2.17.0 is vulnerable to integer wrap-around in function mm_malloc. This improper memory assignment can lead to arbitrary memory allocation, resulting in unexpected behavior such as a crash or a remote code injection/execution.
Integer Overflow or Wraparound
This affects the package cesanta/mongoose before 7.6
CVE-2022-25299
7.5 - High
- February 18, 2022
This affects the package cesanta/mongoose before 7.6. The unsafe handling of file names during upload using mg_http_upload() method may enable attackers to write files to arbitrary locations outside the designated target folder.
Files or Directories Accessible to External Parties
Cesanta MJS v2.20.0 was discovered to contain a stack overflow
CVE-2021-46509
7.8 - High
- January 27, 2022
Cesanta MJS v2.20.0 was discovered to contain a stack overflow via snquote at mjs/src/mjs_json.c.
Stack Exhaustion
Cesanta MJS v2.20.0 was discovered to contain a heap buffer overflow
CVE-2021-46520
7.8 - High
- January 27, 2022
Cesanta MJS v2.20.0 was discovered to contain a heap buffer overflow via mjs_jprintf at src/mjs_util.c.
Memory Corruption
Cesanta MJS v2.20.0 was discovered to contain a SEGV vulnerability via mjs_apply at src/mjs_exec.c
CVE-2021-46512
5.5 - Medium
- January 27, 2022
Cesanta MJS v2.20.0 was discovered to contain a SEGV vulnerability via mjs_apply at src/mjs_exec.c. This vulnerability can lead to a Denial of Service (DoS).
Cesanta MJS v2.20.0 was discovered to contain a SEGV vulnerability via mjs_stack_size at mjs/src/mjs_core.c
CVE-2021-46516
5.5 - Medium
- January 27, 2022
Cesanta MJS v2.20.0 was discovered to contain a SEGV vulnerability via mjs_stack_size at mjs/src/mjs_core.c. This vulnerability can lead to a Denial of Service (DoS).
Cesanta MJS v2.20.0 was discovered to contain a heap buffer overflow
CVE-2021-46518
7.8 - High
- January 27, 2022
Cesanta MJS v2.20.0 was discovered to contain a heap buffer overflow via mjs_disown at src/mjs_core.c.
Memory Corruption
Cesanta MJS v2.20.0 was discovered to contain a heap buffer overflow
CVE-2021-46519
7.8 - High
- January 27, 2022
Cesanta MJS v2.20.0 was discovered to contain a heap buffer overflow via mjs_array_length at src/mjs_array.c.
Memory Corruption