Cyber Resilience

CVE-2025-26819

HighDDoS

Published: 15 February 2025

Published
15 February 2025
Modified
30 September 2025
KEV Added
Patch
CVSS Score v3.1 8.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
EPSS Score 0.0012 29.9th percentile
Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-26819 is a high-severity Allocation of Resources Without Limits or Throttling (CWE-770) vulnerability in Getmonero Monero. Its CVSS base score is 8.6 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 29.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SC-6 (Resource Availability).

Deeper analysis

CVE-2025-26819 is a vulnerability in Monero cryptocurrency software versions through 0.18.3.4 prior to commit ec74ff4, where the HTTP server lacks response limits. This issue, tied to CWE-770 (Allocation of Resources Without Limits or Throttling), allows unbounded resource allocation during HTTP connections. It carries a CVSS v3.1 base score of 8.6 (AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H), highlighting its high severity due to network accessibility and significant availability impact.

Unauthenticated remote attackers can exploit this vulnerability over the network with low attack complexity and no user interaction required. By establishing HTTP server connections, attackers can trigger excessive resource consumption, leading to denial-of-service conditions through server resource exhaustion, as indicated by the high availability impact and changed scope in the CVSS vector.

The Monero project mitigated this vulnerability via commit ec74ff4a3d3ca38b7912af680209a45fd1701c3d, available at https://github.com/monero-project/monero/commit/ec74ff4a3d3ca38b7912af680209a45fd1701c3d, which introduces the necessary response limits. Security practitioners should update affected Monero nodes to a version incorporating this commit or later to prevent exploitation.

EU & UK References

Vulnerability details

Monero through 0.18.3.4 before ec74ff4 does not have response limits on HTTP server connections.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

The vulnerability enables remote exploitation of the Monero HTTP server to cause unbounded resource allocation and availability impact, directly mapping to application or system exploitation for denial of service.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2021-47877Shared CWE-770
CVE-2026-3260Shared CWE-770
CVE-2025-66560Shared CWE-770
CVE-2025-68136Shared CWE-770
CVE-2020-37038Shared CWE-770
CVE-2025-36070Shared CWE-770
CVE-2021-47791Shared CWE-770
CVE-2021-47876Shared CWE-770
CVE-2019-25342Shared CWE-770
CVE-2026-44004Shared CWE-770

Affected Assets

getmonero
monero
≤ 0.18.3.4

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly protects against denial-of-service via resource exhaustion from unbounded HTTP server connections lacking response limits.

prevent

Enforces limits on resource availability to mitigate unbounded allocation during HTTP connections in Monero.

prevent

Timely flaw remediation via software updates applies the commit adding response limits, eliminating the vulnerability.

References