Cyber Resilience

CVE-2025-71031

HighPublic PoCDDoS

Published: 04 February 2026

Published
04 February 2026
Modified
25 February 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0005 16.0th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-71031 is a high-severity Uncontrolled Resource Consumption (CWE-400) vulnerability in Melang Melon. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 16.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SC-6 (Resource Availability).

Deeper analysis

CVE-2025-71031 is a denial-of-service vulnerability affecting Water-Melon Melon up to commit 9df9292. The HTTP component in this software lacks any maximum length enforcement for request headers, enabling attackers to send excessively large headers that consume RAM memory and crash the service. The vulnerability carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) and is linked to CWE-400 (Uncontrolled Resource Consumption).

Any unauthenticated attacker with network access can exploit this vulnerability by crafting and sending HTTP requests containing oversized headers. This requires no privileges or user interaction, allowing remote denial of service through memory exhaustion that disrupts service availability.

References detail the exploit, including pages at https://suphawith-phusanbai.gitbook.io/book-of-suphawith/my-exploits/cve-2025-71031-denial-of-service-in-melon-c-library and https://suphawith-phusanbai.gitbook.io/book-of-suphawith/my-exploits/denial-of-service-in-melon-c-library, which describe the denial-of-service issue in the Melon C library. No patch or mitigation guidance is specified in the CVE details.

EU & UK References

Vulnerability details

Water-Melon Melon commit 9df9292 and below is vulnerable to Denial of Service. The HTTP component doesn't have any maximum length. As a result, an excessive request header could cause a denial of service by consuming RAM memory.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Remote resource exhaustion via oversized HTTP headers directly enables application/system exploitation for endpoint DoS (T1499.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2024-56921Shared CWE-400
CVE-2026-33538Shared CWE-400
CVE-2026-0517Shared CWE-400
CVE-2026-6051Shared CWE-400
CVE-2026-21945Shared CWE-400
CVE-2026-33750Shared CWE-400
CVE-2024-33618Shared CWE-400
CVE-2025-69534Shared CWE-400
CVE-2025-29487Shared CWE-400
CVE-2025-9278Shared CWE-400

Affected Assets

melang
melon
≤ 2025-01-18

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mandates protection against denial-of-service events like memory exhaustion from oversized HTTP request headers.

prevent

Limits allocation of system resources such as RAM to prevent exhaustion by excessive HTTP headers.

prevent

Enforces information input restrictions, including maximum lengths on HTTP request headers to block oversized inputs.

References