CVE-2025-53604 is a medium severity vulnerability affecting the web-push crate for Rust, specifically versions prior to 0.10.3. The vulnerability arises from improper handling of length parameter inconsistencies, classified under CWE-130, which relates to improper handling of length or size parameters. In this case, the issue manifests when the web-push crate processes a large integer value in the Content-Length HTTP header. This can lead to excessive memory consumption, resulting in a denial of service (DoS) condition in the built-in clients using this crate. The vulnerability is exploitable remotely (AV:N), but requires high attack complexity (AC:H), no privileges (PR:N), and no user interaction (UI:N). The scope is changed (S:C), meaning the vulnerability affects resources beyond the initially vulnerable component. The impact is limited to availability (A:L), with no impact on confidentiality or integrity. No known exploits are currently reported in the wild, and no patches or fixes have been linked yet. The vulnerability could be triggered by an attacker sending a specially crafted HTTP request with an abnormally large Content-Length header, causing the client to allocate excessive memory and potentially crash or become unresponsive. This can disrupt services relying on web-push notifications implemented with the vulnerable crate.

For European organizations, the impact of this vulnerability depends largely on the adoption of the Rust web-push crate in their infrastructure, particularly in services that rely on push notifications for web applications or IoT devices. Organizations using the vulnerable versions may experience service disruptions due to denial of service attacks, potentially affecting user experience and operational continuity. While the vulnerability does not compromise data confidentiality or integrity, availability issues can lead to reputational damage, loss of customer trust, and operational downtime. Sectors with high reliance on real-time notifications, such as financial services, healthcare, and critical infrastructure, may face increased risks if their systems incorporate the vulnerable crate. Additionally, the changed scope indicates that the impact could extend beyond the immediate client, potentially affecting other components or services dependent on the web-push functionality. However, the high attack complexity and absence of known exploits reduce the immediate risk level, allowing organizations some time to implement mitigations.

European organizations should first inventory their software dependencies to identify any usage of the pimeys web-push crate, particularly versions prior to 0.10.3. Given the lack of an official patch at the time of this report, organizations should consider the following specific mitigations: 1) Implement strict validation and limits on incoming HTTP headers, especially Content-Length, at the network perimeter or application gateway to block abnormally large values that could trigger the vulnerability. 2) Employ rate limiting and anomaly detection on push notification endpoints to detect and mitigate potential DoS attempts. 3) If feasible, isolate services using the vulnerable crate in sandboxed or containerized environments to limit the impact of potential crashes. 4) Monitor client application logs and system resource usage for signs of memory exhaustion or crashes related to push notification handling. 5) Engage with the vendor or open-source community to track the release of patches or updated versions and plan prompt upgrades once available. 6) Consider temporary disabling or replacing the web-push functionality if it is critical and no immediate patch is available, to prevent exploitation.