CVE-2025-65502
BaseFortify
Publication date: 2025-11-24
Last updated on: 2025-12-12
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| cesanta | mongoose | to 7.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-476 | The product dereferences a pointer that it expects to be valid but is NULL. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a null pointer dereference in the add_ca_certs() function of the Cesanta Mongoose library before version 7.2. Specifically, the function calls SSL_CTX_get_cert_store() without checking if it returns NULL. If the SSL context's certificate store is not properly initialized (SSL_CTX_get_cert_store() returns NULL), the code attempts to dereference this NULL pointer, causing a segmentation fault and crashing the application during TLS initialization. [1]
How can this vulnerability impact me? :
This vulnerability can cause a denial of service by crashing the application using the Mongoose library during TLS initialization. Remote attackers can trigger this crash by exploiting the null pointer dereference, leading to a segmentation fault and potentially disrupting service availability. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability manifests as a segmentation fault (crash) during TLS initialization in the Mongoose library when SSL_CTX_get_cert_store() returns NULL. Detection can involve monitoring application logs for crashes or segmentation faults related to TLS initialization. Additionally, running the Mongoose MQTT client in a debug environment with AddressSanitizer or similar memory error detection tools can help identify the NULL pointer dereference. There are no specific network commands provided to detect this vulnerability directly. [1]
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, update the Mongoose library to a version that includes the fix from pull request #3307, merged on October 13, 2025. This patch adds proper NULL pointer checks after SSL_CTX_get_cert_store() to prevent crashes. Until the update can be applied, ensure that TLS initialization code handles potential NULL returns from SSL_CTX_get_cert_store() safely, or consider disabling affected TLS features to avoid triggering the fault. [2]