Overview
CVE-2025-65502 describes a denial-of-service (DoS) vulnerability affecting Cesanta Mongoose versions prior to 7.2. This vulnerability arises from a NULL pointer dereference within the `add_ca_certs()` function during TLS initialization. Specifically, if the `SSL_CTX_get_cert_store()` function returns NULL, a subsequent dereference of this NULL pointer leads to a crash, effectively halting the Mongoose server.
Technical Details
The vulnerability resides within the `add_ca_certs()` function in the Mongoose library. During TLS initialization, this function attempts to retrieve the certificate store using `SSL_CTX_get_cert_store()`. If this function returns NULL, the code proceeds to dereference this NULL pointer without proper error handling. This dereference then causes a program crash, resulting in a denial of service. This can be triggered remotely by an attacker initiating a TLS connection under specific conditions that cause `SSL_CTX_get_cert_store()` to return NULL. The root cause is missing null pointer checks before using the return value of `SSL_CTX_get_cert_store()`.
CVSS Analysis
Currently, a CVSS score has not been assigned to CVE-2025-65502. However, considering the denial-of-service impact, it is likely to be classified as a medium to high severity vulnerability. The lack of a readily available score might be due to the specific conditions required to trigger the vulnerability or ongoing assessment. Once the CVSS score is available, it will provide a more concrete understanding of the vulnerability’s severity and exploitability.
Possible Impact
The primary impact of this vulnerability is a denial of service. An attacker exploiting this flaw can crash the Mongoose server, rendering it unavailable to legitimate users. This can lead to service disruption, loss of data, and potential reputational damage, especially in scenarios where Mongoose is used in critical infrastructure or customer-facing applications. Remote attackers can potentially trigger this vulnerability, increasing the potential impact.
Mitigation and Patch Steps
The recommended mitigation is to upgrade to Cesanta Mongoose version 7.2 or later. The patch for this vulnerability includes adding a null pointer check before dereferencing the result of `SSL_CTX_get_cert_store()`. This prevents the crash when the function returns NULL. Users who cannot immediately upgrade can attempt to implement a workaround by manually patching their Mongoose installation with the fix from the official patch. Review the official patch and incorporate the null pointer check within your existing code.
