A Cisco Talos researcher discovered these vulnerabilities. Blog by Jon Munshaw.

EmbedThis’ GoAhead Web Server contains two vulnerabilities that both arise when the software attempts to process a multi-part/form-data HTTP request. An attacker could exploit these vulnerabilities to remotely execute code on the victim machine, or cause a denial-of-service condition.


GoAhead Web Server is a popular embedded web server designed to be a fully customizable web application framework and server for embedded devices. It provides all the base HTTP server functionality and provides a highly customizable platform for developers of embedded web applications.

In accordance with our coordinated disclosure policy, Cisco Talos worked with EmbedThis to ensure that these issues are resolved and that an update is available for affected customers.

Vulnerability details EmbedThis GoAhead web server code execution vulnerability (TALOS-2019-0888/CVE-2019-5096)

An exploitable code execution vulnerability exists in the processing of multi-part/form-data requests within the base GoAhead web server application in versions v5.0.1, v.4.1.1 and v3.6.5. A specially crafted HTTP request can lead to a use-after-free condition during the processing of this request that can be used to corrupt heap structures that could lead to full code execution. The request can be unauthenticated in the form of GET or POST requests, and does not require the requested resource to exist on the server.

Read the complete vulnerability advisory here for additional information.

EmbedThis GoAhead web server denial-of-service vulnerability (TALOS-2019-0889/CVE-2019-5097)

A denial-of-service vulnerability exists in the processing of multi-part/form-data requests in the base GoAhead web server application in versions v5.0.1, v.4.1.1 and v3.6.5. A specially crafted HTTP request can lead to an infinite loop in the process. The request can be unauthenticated in the form of GET or POST requests and does not require the requested resource to exist on the server.

Read the complete vulnerability advisory here for additional information.

Versions tested Talos researchers tested and confirmed that versions 5.0.1, 4.1.1 and 3.6.5 of EmbedThis GoAhead is affected by these vulnerabilities.

Coverage The following SNORTⓇ rules will detect exploitation attempts. Note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your Firepower Management Center or Snort.org.

Snort Rules: 51331, 51332