LiveActive security incident?Get immediate response
CVE Record

CVE-2017-2909: An infinite loop programming error exists in the DNS server functionality of Cesanta Mongoose 6.8 library.

An infinite loop programming error exists in the DNS server functionality of Cesanta Mongoose 6.8 library. A specially crafted DNS request can cause an infinite loop resulting in high CPU usage and Denial Of Service. An attacker can send a packet over the network to trigger this vulnerability.

HighCVSS 7.5Not KEV-listedUpdated
Glexia's TakeAutomated analysishigh

Security readout for executives and security teams

Plain-English summary

Cesanta Mongoose 6.8 contains a DNS server flaw that can trap the process in an infinite loop. A network attacker can trigger high CPU usage and cause denial of service, affecting availability rather than data confidentiality or integrity.

Executive priority

Prioritize remediation where affected DNS functionality is internet-facing or supports critical operations. The business risk is service outage from unauthenticated network traffic, not data theft. If the component is internal-only and access-controlled, urgency is lower but inventory validation remains important.

Technical view

CVE-2017-2909 is a remote, unauthenticated availability issue in the DNS server functionality of Cesanta Mongoose 6.8. A specially crafted DNS request can cause an infinite loop, producing high CPU usage. CVSS v3.0 is 7.5: network attack vector, low complexity, no privileges, no user interaction, availability high.

Likely exposure

Exposure is limited to products or services using Cesanta Mongoose 6.8 with its DNS server functionality enabled and reachable over a network. Embedded or bundled uses may need component inventory review because the source bundle names only the library, not downstream products.

Exploitation context

The sources describe network-triggerable denial of service. The bundle does not cite CISA KEV listing, active exploitation, public exploit use, or exploitation in the wild. Do not assume active exploitation from the provided evidence.

Researcher notes

The public bundle names Cesanta Mongoose 6.8 and DNS server functionality only. It does not provide CWE mapping, fixed version, patch details, or downstream affected products. Keep analysis scoped to availability impact and avoid asserting exploit availability beyond the cited network trigger condition.

Mitigation direction

  • Identify any deployed or embedded use of Cesanta Mongoose 6.8.
  • Check vendor or product-maintainer guidance for fixed or unaffected versions.
  • Disable Mongoose DNS server functionality where it is not required.
  • Restrict untrusted network access to affected DNS server functionality.
  • Monitor affected services for sustained CPU spikes and availability degradation.

Validation and detection

  • Confirm whether Cesanta Mongoose 6.8 exists in source, firmware, or dependency inventories.
  • Verify whether DNS server functionality is enabled in affected deployments.
  • Map reachable network paths to any service using that functionality.
  • Review monitoring for high CPU events correlated with DNS traffic.
  • Document compensating controls and remaining exposed systems.
Prepared
Confidence
high
Sources
3

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cve · low confidence lookup

CVE-2017-2909 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
High
CVSS
7.5 (3.0)
Known Exploited
No
Published

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

1CVSS vectors
0Timeline events
0ADP providers
2Source links

CVSS vector scores

1 official score

We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.

ScoreVersionSeverityVectorExploitImpactSource
7.5CVSS 3.0HighCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H3.93.6Primary CVE score

Vulnerability scoring details

Base CVSS 3.0 score

7.5High
CVSS 3.0 vector shape for CVE-2017-2909Attack VectorAttack ComplexityPrivileges RequiredUser InteractionScopeConfidentiality ImpactIntegrity ImpactAvailability Impact

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Attack Vector
NetworkAdjacentLocalPhysical
Attack Complexity
LowHigh
Privileges Required
NoneLowHigh
User Interaction
NoneRequired
Scope
ChangedUnchanged
Confidentiality Impact
HighLowNone
Integrity Impact
HighLowNone
Availability Impact
HighLowNone

Source materials

Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
CesantaMongoose6.8Listed
Weakness

CWE details

No CWE listed

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.