Skip to main content

CVE-2025-53604: CWE-130 Improper Handling of Length Parameter Inconsistency in pimeys web-push

Medium
VulnerabilityCVE-2025-53604cvecve-2025-53604cwe-130
Published: Sat Jul 05 2025 (07/05/2025, 00:00:00 UTC)
Source: CVE Database V5
Vendor/Project: pimeys
Product: web-push

Description

The web-push crate before 0.10.3 for Rust allows a denial of service (memory consumption) in the built-in clients via a large integer in a Content-Length header.

AI-Powered Analysis

AILast updated: 07/05/2025, 01:09:31 UTC

Technical Analysis

CVE-2025-53604 is a medium severity vulnerability affecting the web-push crate for Rust, specifically versions prior to 0.10.3. The vulnerability arises from improper handling of length parameter inconsistencies, classified under CWE-130, which relates to improper handling of length or size parameters. In this case, the issue manifests when the web-push crate processes a large integer value in the Content-Length HTTP header. This can lead to excessive memory consumption, resulting in a denial of service (DoS) condition in the built-in clients using this crate. The vulnerability is exploitable remotely (AV:N), but requires high attack complexity (AC:H), no privileges (PR:N), and no user interaction (UI:N). The scope is changed (S:C), meaning the vulnerability affects resources beyond the initially vulnerable component. The impact is limited to availability (A:L), with no impact on confidentiality or integrity. No known exploits are currently reported in the wild, and no patches or fixes have been linked yet. The vulnerability could be triggered by an attacker sending a specially crafted HTTP request with an abnormally large Content-Length header, causing the client to allocate excessive memory and potentially crash or become unresponsive. This can disrupt services relying on web-push notifications implemented with the vulnerable crate.

Potential Impact

For European organizations, the impact of this vulnerability depends largely on the adoption of the Rust web-push crate in their infrastructure, particularly in services that rely on push notifications for web applications or IoT devices. Organizations using the vulnerable versions may experience service disruptions due to denial of service attacks, potentially affecting user experience and operational continuity. While the vulnerability does not compromise data confidentiality or integrity, availability issues can lead to reputational damage, loss of customer trust, and operational downtime. Sectors with high reliance on real-time notifications, such as financial services, healthcare, and critical infrastructure, may face increased risks if their systems incorporate the vulnerable crate. Additionally, the changed scope indicates that the impact could extend beyond the immediate client, potentially affecting other components or services dependent on the web-push functionality. However, the high attack complexity and absence of known exploits reduce the immediate risk level, allowing organizations some time to implement mitigations.

Mitigation Recommendations

European organizations should first inventory their software dependencies to identify any usage of the pimeys web-push crate, particularly versions prior to 0.10.3. Given the lack of an official patch at the time of this report, organizations should consider the following specific mitigations: 1) Implement strict validation and limits on incoming HTTP headers, especially Content-Length, at the network perimeter or application gateway to block abnormally large values that could trigger the vulnerability. 2) Employ rate limiting and anomaly detection on push notification endpoints to detect and mitigate potential DoS attempts. 3) If feasible, isolate services using the vulnerable crate in sandboxed or containerized environments to limit the impact of potential crashes. 4) Monitor client application logs and system resource usage for signs of memory exhaustion or crashes related to push notification handling. 5) Engage with the vendor or open-source community to track the release of patches or updated versions and plan prompt upgrades once available. 6) Consider temporary disabling or replacing the web-push functionality if it is critical and no immediate patch is available, to prevent exploitation.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
mitre
Date Reserved
2025-07-05T00:00:00.000Z
Cvss Version
3.1
State
PUBLISHED

Threat ID: 686877c46f40f0eb72a47d6b

Added to database: 7/5/2025, 12:54:28 AM

Last enriched: 7/5/2025, 1:09:31 AM

Last updated: 7/8/2025, 2:54:29 PM

Views: 10

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats