Security context

What an agent needs to avoid regressing past fixes and find the next vuln in this repo.

cesanta/mongoose
master @ b86f255
115
Fixes
0
CVEs
CRITICAL
Peak severity
Highlights
Auth Bypass: 22 prior fixes. Scrutinize any change in this area.
mongoose.c: most-fixed (71 issues). Treat as high-risk during review.
87 high-severity fixes in this history; regressions here are high-impact.
Recurring patterns

The bug types that recur here, drawn from past fixes, not open vulnerabilities.

Auth Bypass: Flaws in certificate state management, handshake sequencing, and hostname verification fallback logic within the built-in TLS engine allowed connections to bypass crucial peer validation checks.
Path Traversal: Weaknesses in file handling, upload handlers, and directory sanitization logic permitted directory traversal via malformed dot-dot sequences or non-null-terminated network paths.
Memory Corruption: The built-in TLS engine suffered from critical buffer overflows and memory corruption due to fixed-size stack arrays, unsafe allocation calculations during decryption, and out-of-bounds handshake parsing.