Submit #770104: Cesanta Mongoose 7.20 Authorization Bypassinfo

TitleCesanta Mongoose 7.20 Authorization Bypass
Descriptionsecp384r1 (P-384) Certificate Verification Bypass in Mongoose v7.20 mTLS mg_tls_verify_cert_signature() returns 1 without checking when the issuer CA has a P-384 public key (96 bytes). This means ANY such client certificate is accepted by an mTLS server, https://github.com/cesanta/mongoose/blob/master/mongoose.c#L14080 ### Impact mTLS based authentication bypass. ### Disclosure Vendor contacted Feb 26 and CONFIRMED the vulnerability. ### Exploit Due to the nature of the library, I could not target a single device or hardware configuration, so I had to create one myself via qemu. [redacted]
User
 the_evilsocket (UID 96063)
Submission03/02/2026 17:41 (4 months ago)
Moderation04/02/2026 09:43 (1 month later)
StatusAccepted
VulDB entry354827 [Cesanta Mongoose up to 7.20 P-384 Public Key mongoose.c mg_tls_verify_cert_signature authorization]
Points17

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!