CVE-2025-26819
Published: 15 February 2025
Description
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Security Summary
CVE-2025-26819 is a vulnerability in Monero cryptocurrency software versions through 0.18.3.4 prior to commit ec74ff4, where the HTTP server lacks response limits. This issue, tied to CWE-770 (Allocation of Resources Without Limits or Throttling), allows unbounded resource allocation during HTTP connections. It carries a CVSS v3.1 base score of 8.6 (AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H), highlighting its high severity due to network accessibility and significant availability impact.
Unauthenticated remote attackers can exploit this vulnerability over the network with low attack complexity and no user interaction required. By establishing HTTP server connections, attackers can trigger excessive resource consumption, leading to denial-of-service conditions through server resource exhaustion, as indicated by the high availability impact and changed scope in the CVSS vector.
The Monero project mitigated this vulnerability via commit ec74ff4a3d3ca38b7912af680209a45fd1701c3d, available at https://github.com/monero-project/monero/commit/ec74ff4a3d3ca38b7912af680209a45fd1701c3d, which introduces the necessary response limits. Security practitioners should update affected Monero nodes to a version incorporating this commit or later to prevent exploitation.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The vulnerability enables remote exploitation of the Monero HTTP server to cause unbounded resource allocation and availability impact, directly mapping to application or system exploitation for denial of service.