Cyber Resilience

CVE-2025-67419

High

Published: 05 January 2026

Published
05 January 2026
Modified
12 January 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0012 30.6th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-67419 is a high-severity Excessive Platform Resource Consumption within a Loop (CWE-1050) vulnerability in Evershop Evershop. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 30.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SC-6 (Resource Availability).

Deeper analysis

CVE-2025-67419 is a Denial of Service (DoS) vulnerability in Evershop versions 2.1.0 and prior. The flaw occurs in the "GET /images" API endpoint, where the application processes SVG files without limiting the height of the use-element shadow tree or the dimensions of pattern tiles. This deficiency enables unbounded resource consumption on the application server, published on 2026-01-05 with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) and mapped to CWE-1050.

Unauthenticated attackers can exploit this vulnerability remotely over the network with low attack complexity and no user interaction or privileges required. By sending a malicious request to the "GET /images" API containing a crafted SVG file, attackers can trigger excessive resource usage, exhausting the server's CPU or memory and causing a system-wide denial of service that disrupts availability for legitimate users.

Advisories and related resources are available at https://github.com/dos-m0nk3y/CVE/tree/main/CVE-2025-67419, which documents the issue, and the Evershop project repository at https://github.com/evershopcommerce/evershop.

EU & UK References

Vulnerability details

A Denial of Service (DoS) vulnerability in evershop 2.1.0 and prior allows unauthenticated attackers to exhaust the application server's resources via the "GET /images" API. The application fails to limit the height of the use-element shadow tree or the dimensions…

more

of pattern tiles during the processing of SVG files, resulting in unbounded resource consumption and system-wide denial of service.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Vulnerability in public-facing web API endpoint directly enables remote unauthenticated exploitation for application-layer DoS via crafted input triggering resource exhaustion.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-25993Same product: Evershop Evershop
CVE-2026-28213Same product: Evershop Evershop
CVE-2026-4634Shared CWE-1050

Affected Assets

evershop
evershop
≤ 2.1.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

preventdetect

SC-5 directly mitigates DoS by implementing protections against resource exhaustion from unauthenticated malicious SVG requests to the GET /images API.

prevent

SI-10 prevents unbounded resource consumption by validating SVG inputs for limits on use-element shadow tree height and pattern tile dimensions before processing.

prevent

SC-6 protects server resource availability by enforcing allocation policies and monitoring thresholds to counter excessive CPU/memory usage from crafted SVG files.

References