CVE-2019-25594
Denial of Service via Buffer Overflow in ASPRunner.NET
Publication date: 2026-03-22
Last updated on: 2026-03-22
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| asprunner | asprunner.net | 10.1 |
| xlinesoft | asprunner.net | to 11.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-807 | The product uses a protection mechanism that relies on the existence or values of an input, but the input can be modified by an untrusted actor in a way that bypasses the protection mechanism. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2019-25594 is a denial of service (DoS) vulnerability in ASPRunner.NET version 10.1 and earlier. It occurs because the application improperly handles the table name field during database table creation.
Local attackers can supply an excessively long stringβup to 10,000 charactersβin the table name parameter. This causes the application to crash by triggering a buffer overflow condition.
The vulnerability allows attackers to crash the application by making it unresponsive or causing it to terminate unexpectedly.
How can this vulnerability impact me? :
This vulnerability impacts the availability of the ASPRunner.NET application by allowing local attackers to crash it.
An attacker can cause a denial of service by supplying a very long string in the table name field during database creation, which leads to the application becoming unresponsive or terminating unexpectedly.
Since the attack requires local access and no privileges or user interaction, it can disrupt normal operations and cause downtime.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by attempting to reproduce the denial of service condition on the ASPRunner.NET 10.1 application. Specifically, you can test the application by supplying an excessively long string (10,000 characters) in the table name field during database table creation and observing if the application crashes or becomes unresponsive.'}, {'type': 'paragraph', 'content': "A practical detection method involves running a proof-of-concept exploit that uses a Python script to generate a payload of 10,000 'A' characters, then pasting this payload into the table name field within the application to see if it crashes."}, {'type': 'list_item', 'content': 'Run the Python script `ASPRunner_net_10_1.py` to generate the payload file `ASPRunner_10_1.txt`.'}, {'type': 'list_item', 'content': 'Copy the contents of `ASPRunner_10_1.txt` to the clipboard.'}, {'type': 'list_item', 'content': 'Open ASPRunner.NET 10.1 application.'}, {'type': 'list_item', 'content': 'Navigate through the wizard: click "Next," select "SQLite" as the database, click "Next" again.'}, {'type': 'list_item', 'content': 'Choose to create a new database.'}, {'type': 'list_item', 'content': 'Paste the clipboard content (the 10,000 character string) into the "Table name" field.'}, {'type': 'list_item', 'content': 'Click "Create table" and observe if the application crashes or becomes unresponsive.'}] [3]
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability immediately, avoid allowing untrusted or excessively long input in the table name field during database table creation in ASPRunner.NET 10.1.
Since the vulnerability is triggered by a very long string (10,000 characters), implementing input validation or length checks on the table name parameter can prevent exploitation.
Additionally, restrict local access to the application to trusted users only, as the attack requires local access.
Consider upgrading to a newer version of ASPRunner.NET if available, as the vulnerability affects version 10.1 and earlier.