CVE-2022-25299

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2022-25299

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-25299.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2022-25299

Downstream

UBUNTU-CVE-2022-25299

Related

SNYK-UNMANAGED-CESANTAMONGOOSE-2404180

Published

2022-02-18T13:15:08.383Z

Modified

2025-11-20T12:04:51.228541Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N CVSS Calculator

Summary

[none]

Details

This affects the package cesanta/mongoose before 7.6. The unsafe handling of file names during upload using mghttpupload() method may enable attackers to write files to arbitrary locations outside the designated target folder.

References

Affected packages

Git / github.com/cesanta/mongoose

Affected ranges

Type: GIT
Repo: https://github.com/cesanta/mongoose
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

c65c8fdaaa257e0487ab0aaae9e8f6b439335945

Affected versions

3.*

3.2

3.3

3.4

3.5

3.6

3.7

3.8

4.*

4.0

4.1

5.*

5.0

5.1

5.2

5.3

5.4

5.5

5.5_20140120

5.6

6.*

6.0

6.1

6.10

6.11

6.12

6.13

6.14

6.15

6.16

6.17

6.18

6.2

6.3

6.4

6.5

6.6

6.7

6.8

6.9

7.*

7.0

7.1

7.2

7.3

7.4

7.5

Database specific

vanir_signatures

[
    {
        "source": "https://github.com/cesanta/mongoose/commit/c65c8fdaaa257e0487ab0aaae9e8f6b439335945",
        "signature_type": "Line",
        "target": {
            "file": "mongoose.c"
        },
        "id": "CVE-2022-25299-384fc369",
        "deprecated": false,
        "signature_version": "v1",
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "242706033282067176875032425508032888864",
                "99522183213085504313786174125419876320",
                "317607507457042687038877028356137111401",
                "333692189807639914897787362839627623813",
                "233865274326001107318949442572987913309",
                "221254706629978215518853743110690491273",
                "253319027323112190251501714670312356228",
                "216538699964804043248640641326933649494",
                "244608069674255244487288380326870337055",
                "260246318888716113391930882121398533345",
                "297272436952712233725021059878684268872",
                "25363224782478370495762222898064946957",
                "163909099563252246648925565846780879728",
                "293169514882191368702607043720044341984",
                "102129296967832871668598717709511254046",
                "112819087028156993108012246646245345603",
                "101821142596263531984442375264151164907",
                "261717293051684845709397823176983799782",
                "228130189183380133144193134927040524517",
                "174402573558153142600198445885969578150",
                "316634947057275655371304392957716982165",
                "298331221646344776840071252632452039089",
                "51519848797132890115430913520659695192",
                "94585454980982654502483191906239126992",
                "81666697063671350821902100494798519433",
                "23964437094381691308194720730542555578",
                "305407463024304548130196606906410878762",
                "38414022540808156823982743711661729470",
                "62657882478922673139893870355193611787",
                "88850435843307456768886303461010071700",
                "106490766253083496260963657830660064020",
                "291678104855126962159420652916814432635",
                "88337735380769454933221982902538839929"
            ]
        }
    },
    {
        "source": "https://github.com/cesanta/mongoose/commit/c65c8fdaaa257e0487ab0aaae9e8f6b439335945",
        "signature_type": "Function",
        "target": {
            "function": "test_http_server",
            "file": "test/unit_test.c"
        },
        "id": "CVE-2022-25299-d3c83efa",
        "deprecated": false,
        "signature_version": "v1",
        "digest": {
            "length": 6870.0,
            "function_hash": "299142579153512652660395765520501226188"
        }
    },
    {
        "source": "https://github.com/cesanta/mongoose/commit/c65c8fdaaa257e0487ab0aaae9e8f6b439335945",
        "signature_type": "Line",
        "target": {
            "file": "src/http.c"
        },
        "id": "CVE-2022-25299-da9c7b66",
        "deprecated": false,
        "signature_version": "v1",
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "242706033282067176875032425508032888864",
                "99522183213085504313786174125419876320",
                "317607507457042687038877028356137111401",
                "333692189807639914897787362839627623813",
                "233865274326001107318949442572987913309",
                "221254706629978215518853743110690491273",
                "253319027323112190251501714670312356228",
                "216538699964804043248640641326933649494",
                "244608069674255244487288380326870337055",
                "260246318888716113391930882121398533345",
                "297272436952712233725021059878684268872",
                "25363224782478370495762222898064946957",
                "163909099563252246648925565846780879728",
                "293169514882191368702607043720044341984",
                "102129296967832871668598717709511254046",
                "112819087028156993108012246646245345603",
                "101821142596263531984442375264151164907",
                "261717293051684845709397823176983799782",
                "228130189183380133144193134927040524517",
                "174402573558153142600198445885969578150",
                "316634947057275655371304392957716982165",
                "298331221646344776840071252632452039089",
                "51519848797132890115430913520659695192",
                "94585454980982654502483191906239126992",
                "81666697063671350821902100494798519433",
                "23964437094381691308194720730542555578",
                "305407463024304548130196606906410878762",
                "38414022540808156823982743711661729470",
                "62657882478922673139893870355193611787",
                "88850435843307456768886303461010071700",
                "106490766253083496260963657830660064020",
                "291678104855126962159420652916814432635",
                "88337735380769454933221982902538839929"
            ]
        }
    },
    {
        "source": "https://github.com/cesanta/mongoose/commit/c65c8fdaaa257e0487ab0aaae9e8f6b439335945",
        "signature_type": "Function",
        "target": {
            "function": "mg_http_upload",
            "file": "mongoose.c"
        },
        "id": "CVE-2022-25299-e80b1150",
        "deprecated": false,
        "signature_version": "v1",
        "digest": {
            "length": 939.0,
            "function_hash": "94260302717059400505012761633974380900"
        }
    },
    {
        "source": "https://github.com/cesanta/mongoose/commit/c65c8fdaaa257e0487ab0aaae9e8f6b439335945",
        "signature_type": "Function",
        "target": {
            "function": "mg_http_upload",
            "file": "src/http.c"
        },
        "id": "CVE-2022-25299-f3a27d8f",
        "deprecated": false,
        "signature_version": "v1",
        "digest": {
            "length": 939.0,
            "function_hash": "94260302717059400505012761633974380900"
        }
    }
]