CVE-2025-52494
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-09-03

Last updated on: 2025-09-08

Assigner: MITRE

Description
Adacore Ada Web Server (AWS) before 25.2 is vulnerable to a denial-of-service (DoS) condition due to improper handling of SSL handshakes during connection initialization. When a client initiates an HTTPS connection, the server performs the SSL handshake before assigning the connection to a processing slot. However, there is no specific timeout set for this phase, and the server uses the default socket timeout, which is effectively infinite. An attacker can exploit this by sending a malformed TLS ClientHello message with incorrect length values. This causes the server to wait indefinitely for data that never arrives, blocking the worker thread (Line) handling the connection. By opening multiple such connections, up to the server's maximum limit, the attacker can exhaust all available working threads, preventing the server from handling new, legitimate requests.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-09-03
Last Modified
2025-09-08
Generated
2026-06-16
AI Q&A
2025-09-03
EPSS Evaluated
2026-06-15
NVD
CVE-2025-52494
EUVD
EUVD-2025-26617
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
adacore ada_web_server to 26.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-770 The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.
CWE-400 The product does not properly control the allocation and maintenance of a limited resource.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability in Adacore Ada Web Server (AWS) before version 25.2 is a denial-of-service (DoS) issue caused by improper handling of SSL handshakes during connection initialization. Specifically, when a client starts an HTTPS connection, the server performs the SSL handshake before assigning the connection to a processing slot but does not set a specific timeout for this handshake phase, relying instead on an effectively infinite default socket timeout. An attacker can exploit this by sending malformed TLS ClientHello messages with incorrect length values, causing the server to wait indefinitely for data that never arrives. This blocks the worker thread handling the connection. By opening many such connections, an attacker can exhaust all available worker threads, preventing the server from processing legitimate requests.

Impact Analysis

This vulnerability can impact you by causing a denial-of-service condition on the Adacore Ada Web Server. An attacker can exploit it to exhaust all worker threads by sending malformed TLS ClientHello messages, which blocks the server from handling new legitimate HTTPS requests. This results in service unavailability or degraded performance, potentially disrupting access to web services hosted on the affected server.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-52494. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart