NULL Pointer Dereference Affecting cesanta/mongoose package, versions [,7.2)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsSnyk Learn
Learn about NULL Pointer Dereference vulnerabilities in an interactive lesson.
Start learning- Snyk IDSNYK-UNMANAGED-CESANTAMONGOOSE-14105136
- published25 Nov 2025
- disclosed24 Nov 2025
- creditQingpeng Du
Introduced: 24 Nov 2025
NewCVE-2025-65502 (opens in a new tab)Common Vulnerabilities and Exposures (CVE) are common identifiers for publicly known security vulnerabilities
Common Weakness Enumeration (CWE) is a category system for software weaknesses
How to fix?
Upgrade cesanta/mongoose to version 7.2 or higher.
Overview
cesanta/mongoose is a networking library for C/C++. It implements event-driven non-blocking APIs for TCP, UDP, HTTP, WebSocket, MQTT.
Affected versions of this package are vulnerable to NULL Pointer Dereference via the add_ca_certs function during TLS initialization when SSL_CTX_get_cert_store() returns NULL. An attacker can cause a crash and disrupt service availability by triggering this condition remotely.