CVE-2019-17502

HIGH

hydra_project/hydra < 0.1.8 - Denial of Service via NULL Pointer Dereference in POST Request Handling

Title source: llm
STIX 2.1

Description

Hydra through 0.1.8 has a NULL pointer dereference and daemon crash when processing POST requests that lack a Content-Length header. read.c, request.c, and util.c contribute to this. The process_header_end() function calls boa_atoi(), which ultimately calls atoi() on a NULL pointer.

References (2)

Core 2
Core References
Exploit, Third Party Advisory x_refsource_misc
https://gist.github.com/fxb6476/0b9883a88ff2ca40de46a8469834e16c
Third Party Advisory x_refsource_misc
http://hydra.hellug.gr

Scores

CVSS v3 7.5
EPSS 0.0170
EPSS Percentile 74.4%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Details

CWE
CWE-476
Status published
Products (1)
hydra_project/hydra < 0.1.8
Published Oct 12, 2019
Tracked Since Feb 18, 2026