CVE-2025-52494
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-09-03

Last updated on: 2025-09-08

Assigner: MITRE

Description
Adacore Ada Web Server (AWS) before 25.2 is vulnerable to a denial-of-service (DoS) condition due to improper handling of SSL handshakes during connection initialization. When a client initiates an HTTPS connection, the server performs the SSL handshake before assigning the connection to a processing slot. However, there is no specific timeout set for this phase, and the server uses the default socket timeout, which is effectively infinite. An attacker can exploit this by sending a malformed TLS ClientHello message with incorrect length values. This causes the server to wait indefinitely for data that never arrives, blocking the worker thread (Line) handling the connection. By opening multiple such connections, up to the server's maximum limit, the attacker can exhaust all available working threads, preventing the server from handling new, legitimate requests.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-09-03
Last Modified
2025-09-08
Generated
2026-05-07
AI Q&A
2025-09-03
EPSS Evaluated
2026-05-05
NVD
CVE-2025-52494
EUVD
EUVD-2025-26617
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
adacore ada_web_server to 26.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-400 The product does not properly control the allocation and maintenance of a limited resource.
CWE-770 The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability in Adacore Ada Web Server (AWS) before version 25.2 is a denial-of-service (DoS) issue caused by improper handling of SSL handshakes during connection initialization. Specifically, when a client starts an HTTPS connection, the server performs the SSL handshake before assigning the connection to a processing slot but does not set a specific timeout for this handshake phase, relying instead on an effectively infinite default socket timeout. An attacker can exploit this by sending malformed TLS ClientHello messages with incorrect length values, causing the server to wait indefinitely for data that never arrives. This blocks the worker thread handling the connection. By opening many such connections, an attacker can exhaust all available worker threads, preventing the server from processing legitimate requests.


How can this vulnerability impact me? :

This vulnerability can impact you by causing a denial-of-service condition on the Adacore Ada Web Server. An attacker can exploit it to exhaust all worker threads by sending malformed TLS ClientHello messages, which blocks the server from handling new legitimate HTTPS requests. This results in service unavailability or degraded performance, potentially disrupting access to web services hosted on the affected server.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart