CVE-2019-25613

HighPublic PoC

Published: 22 March 2026

Published

22 March 2026

Modified

02 April 2026

KEV Added

—

Patch

—

CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS Score 0.0039 60.4th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2019-25613 is a high-severity Improper Verification of Source of a Communication Channel (CWE-940) vulnerability in Echatserver Easy Chat Server. Its CVSS base score is 7.5 (High).

Operationally, ranked in the top 39.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SC-6 (Resource Availability).

Threat & Defense at a Glance

What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly mitigates the CVE by enforcing validation of the message parameter size to reject oversized inputs before processing.

SC-5 Denial-of-service Protection good match

prevent

Provides denial-of-service protection mechanisms to block oversized data attacks targeting the body2.ghp endpoint.

SC-6 Resource Availability good match

prevent

Ensures resource availability by limiting consumption from oversized POST requests that could crash the chat server.

NVD Description

Easy Chat Server 3.1 contains a denial of service vulnerability that allows remote attackers to crash the application by sending oversized data in the message parameter. Attackers can establish a session via the chat.ghp endpoint and then send a POST…

request to body2.ghp with an excessively large message parameter value to cause the service to crash.

Deeper analysisAI

CVE-2019-25613 is a denial of service vulnerability affecting Easy Chat Server 3.1. The flaw arises from the application's failure to properly handle oversized data in the message parameter, classified under CWE-940. It enables remote attackers to crash the server, as indicated by its CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), emphasizing high availability impact with network accessibility and no authentication required.

Any remote attacker can exploit this vulnerability without privileges. The attack begins by establishing a session through the chat.ghp endpoint, followed by sending a POST request to body2.ghp containing an excessively large message parameter value. This triggers the service to crash, disrupting availability for all users.

Reference advisories include a VulnCheck report detailing the denial of service via the message parameter and a proof-of-concept exploit published on Exploit-DB (ID 46806). Vendor resources are available at echatserver.com, including the ecssetup.exe download, though no specific patch details are outlined in the provided information.

Details

CWE(s): CWE-940

Affected Products

echatserver

easy chat server

3.1

CVEs Like This One

CVE-2018-25221Same product: Echatserver Easy Chat Server

CVE-2025-23222Shared CWE-940

CVE-2026-40434Shared CWE-940

CVE-2026-33875Shared CWE-940

CVE-2025-61932Shared CWE-940

CVE-2026-35643Shared CWE-940

References

http://www.echatserver.com
Broken Link · disclosure@vulncheck.com
http://www.echatserver.com/ecssetup.exe
Broken Link · disclosure@vulncheck.com
https://www.exploit-db.com/exploits/46806
Exploit, Third Party Advisory, VDB Entry · disclosure@vulncheck.com
https://www.vulncheck.com/advisories/easy-chat-server-denial-of-service-via-message-parameter
Third Party Advisory · disclosure@vulncheck.com