CVE-2011-2900

EXPLOITED IN THE WILD

shttpd 1.42 - Stack-based Buffer Overflow in _shttpd_put_dir Function

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2011-2900 has been observed exploited in the wild (reported by VulnCheck KEV, InTheWild.io). EIP tracks 2 public exploits from researchers including nion, G13.

AI-analyzed exploit summary This exploit targets a buffer overflow vulnerability in shttpd/mongoose web servers (CVE-2011-2900) to achieve remote code execution. It uses a crafted HTTP PUT request with stack manipulation and ROP gadgets to execute a connect-back shellcode.

Description

Stack-based buffer overflow in the (1) put_dir function in mongoose.c in Mongoose 3.0, (2) put_dir function in yasslEWS.c in yaSSL Embedded Web Server (yasslEWS) 0.2, and (3) _shttpd_put_dir function in io_dir.c in Simple HTTPD (shttpd) 1.42 allows remote attackers to execute arbitrary code via an HTTP PUT request, as exploited in the wild in 2011.

Exploits (2)

exploitdb WORKING POC
by nion · pythonremotewindows
https://www.exploit-db.com/exploits/17669

This exploit targets a buffer overflow vulnerability in shttpd/mongoose web servers (CVE-2011-2900) to achieve remote code execution. It uses a crafted HTTP PUT request with stack manipulation and ROP gadgets to execute a connect-back shellcode.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Complex
Reliability
Reliable
Target: shttpd <= 1.42, mongoose <= 3.0
No auth needed
Prerequisites: Network access to the target web server · Target must be running a vulnerable version of shttpd or mongoose
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC
by G13 · pythondoswindows
https://www.exploit-db.com/exploits/17658

This exploit sends a maliciously crafted HTTP PUT request with an oversized buffer to trigger a denial-of-service (DoS) condition in Simple HTTPd 1.42. The vulnerability is due to improper handling of long URIs, leading to a crash.

Classification
Working Poc 90%
Attack Type
Dos
Complexity
Trivial
Reliability
Reliable
Target: Simple HTTPd 1.42
No auth needed
Prerequisites: Target server running Simple HTTPd 1.42 compiled with -DNO_AUTH and -D_DEBUG flags · Network access to the target server on port 80
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (11)

Core 11
Core References
Mailing List, Third Party Advisory vendor-advisory x_refsource_fedora
http://lists.fedoraproject.org/pipermail/package-announce/2011-September/065505.html
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/48980
Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/45464
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/45902
Mailing List, Third Party Advisory vendor-advisory x_refsource_fedora
http://lists.fedoraproject.org/pipermail/package-announce/2011-September/065537.html
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/68991
Patch mailing-list x_refsource_mlist
http://www.openwall.com/lists/oss-security/2011/08/03/5
Third Party Advisory third-party-advisory x_refsource_sreason
http://securityreason.com/securityalert/8337
Mailing List, Third Party Advisory vendor-advisory x_refsource_fedora
http://lists.fedoraproject.org/pipermail/package-announce/2011-September/065273.html
Patch mailing-list x_refsource_mlist
http://www.openwall.com/lists/oss-security/2011/08/03/9

Scores

EPSS 0.5367
EPSS Percentile 98.1%

Details

VulnCheck KEV 2011-08-05
InTheWild.io 2017-08-29
CWE
CWE-119
Status published
Products (3)
shttpd/shttpd 1.42
valenok/mongoose 3.0
yassl/yasslews 0.2
Published Aug 05, 2011
Tracked Since Feb 18, 2026