CVE-2019-25342 in Cast
Summary
by MITRE • 02/13/2026
Centova Cast 3.2.12 contains a denial of service vulnerability that allows attackers to overwhelm the system by repeatedly calling the database export API endpoint. Attackers can trigger 100% CPU load by sending multiple concurrent requests to the /api.php endpoint with crafted parameters.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 02/13/2026
Centova Cast version 3.2.12 suffers from a critical denial of service vulnerability that stems from insufficient input validation and resource management within its database export API functionality. This vulnerability resides in the /api.php endpoint which fails to properly handle concurrent requests, allowing malicious actors to exploit the system through repeated API calls that consume excessive computational resources. The flaw manifests when attackers send multiple simultaneous requests with specifically crafted parameters designed to trigger the database export functionality, resulting in a complete system resource exhaustion that effectively renders the service unavailable to legitimate users.
The technical implementation of this vulnerability demonstrates poor resource allocation and concurrency control mechanisms within the application's API layer. When the /api.php endpoint receives these crafted requests, it lacks proper rate limiting or request queuing mechanisms that would normally prevent such resource exhaustion scenarios. The database export functionality appears to be invoked without adequate bounds checking or resource consumption monitoring, allowing each request to consume substantial CPU cycles without proper throttling or termination conditions. This behavior aligns with CWE-400 vulnerability classification, specifically addressing unchecked resource consumption where the application fails to limit the amount of computational resources that individual requests can consume.
The operational impact of this vulnerability extends beyond simple service disruption to potentially compromise the entire system stability and availability. Attackers can easily achieve 100% CPU load through concurrent requests, effectively bringing the system to its knees and preventing legitimate users from accessing the service. This type of attack can be executed with minimal technical expertise and significant impact, making it particularly dangerous in production environments where service availability is critical. The vulnerability creates an environment where a single attacker can cause widespread disruption without requiring advanced technical skills or substantial computational resources.
Security professionals should implement immediate mitigations including rate limiting at the application level, connection throttling, and resource consumption monitoring to prevent this type of attack. Network-level firewalls should be configured to limit concurrent connections to the /api.php endpoint, while application-level controls should enforce maximum request rates per IP address. The system should also implement proper input validation and parameter sanitization to prevent malicious parameter injection that could trigger the vulnerable export functionality. These measures align with ATT&CK technique T1499.004 which addresses network denial of service attacks, and should be implemented as part of a comprehensive defense-in-depth strategy. Additionally, regular security assessments and vulnerability scanning should be conducted to identify similar resource exhaustion vulnerabilities within the application's API endpoints and prevent future exploitation attempts.