Cyber Resilience

CVE-2025-66902

HighPublic PoC

Published: 20 January 2026

Published
20 January 2026
Modified
30 January 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.0009 26.0th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-66902 is a high-severity Improper Input Validation (CWE-20) vulnerability in Pithikos Websocket Server. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 26.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-66902 is an input validation vulnerability (CWE-20) in Pithikos websocket-server version 0.6.4. The flaw affects the websocket_server/websocket_server.py file, specifically the WebSocketServer._message_received component, enabling a remote attacker to obtain sensitive information or cause unexpected server behavior.

The vulnerability has a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating it is exploitable remotely over the network with low attack complexity, no required privileges, and no user interaction. Any unauthenticated attacker who can connect to the WebSocket server can send crafted messages to disclose sensitive data or disrupt normal server operations.

A proof-of-concept demonstrating the vulnerability is available at https://github.com/cyberinvest211/websocket-server-vuln-poc/tree/main. No vendor advisories, patches, or specific mitigation guidance are detailed in the provided references.

EU & UK References

Vulnerability details

An input validation issue in in Pithikos websocket-server v.0.6.4 allows a remote attacker to obtain sensitive information or cause unexpected server behavior via the websocket_server/websocket_server.py, WebSocketServer._message_received components.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Direct remote exploitation of a public-facing WebSocket server via crafted input for sensitive data disclosure.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-4755Shared CWE-20
CVE-2026-6973Shared CWE-20
CVE-2026-23836Shared CWE-20
CVE-2025-12275Shared CWE-20
CVE-2025-21344Shared CWE-20
CVE-2025-43347Shared CWE-20
CVE-2026-29143Shared CWE-20
CVE-2026-2880Shared CWE-20
CVE-2025-1514Shared CWE-20
CVE-2026-26063Shared CWE-20

Affected Assets

pithikos
websocket server
0.6.4

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mandates validation of WebSocket message inputs to prevent crafted messages from disclosing sensitive information or causing unexpected behavior.

prevent

Requires timely flaw remediation, such as patching the input validation issue in Pithikos websocket-server v0.6.4's _message_received component.

prevent

Ensures secure error handling to mitigate information disclosure and limit unexpected server behavior resulting from invalid WebSocket inputs.

References