CVE-2025-71031
Published: 04 February 2026
Summary
CVE-2025-71031 is a high-severity Uncontrolled Resource Consumption (CWE-400) vulnerability in Melang Melon. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 16.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SC-6 (Resource Availability).
Deeper analysis
CVE-2025-71031 is a denial-of-service vulnerability affecting Water-Melon Melon up to commit 9df9292. The HTTP component in this software lacks any maximum length enforcement for request headers, enabling attackers to send excessively large headers that consume RAM memory and crash the service. The vulnerability carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) and is linked to CWE-400 (Uncontrolled Resource Consumption).
Any unauthenticated attacker with network access can exploit this vulnerability by crafting and sending HTTP requests containing oversized headers. This requires no privileges or user interaction, allowing remote denial of service through memory exhaustion that disrupts service availability.
References detail the exploit, including pages at https://suphawith-phusanbai.gitbook.io/book-of-suphawith/my-exploits/cve-2025-71031-denial-of-service-in-melon-c-library and https://suphawith-phusanbai.gitbook.io/book-of-suphawith/my-exploits/denial-of-service-in-melon-c-library, which describe the denial-of-service issue in the Melon C library. No patch or mitigation guidance is specified in the CVE details.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-206781
Vulnerability details
Water-Melon Melon commit 9df9292 and below is vulnerable to Denial of Service. The HTTP component doesn't have any maximum length. As a result, an excessive request header could cause a denial of service by consuming RAM memory.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote resource exhaustion via oversized HTTP headers directly enables application/system exploitation for endpoint DoS (T1499.004).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mandates protection against denial-of-service events like memory exhaustion from oversized HTTP request headers.
Limits allocation of system resources such as RAM to prevent exhaustion by excessive HTTP headers.
Enforces information input restrictions, including maximum lengths on HTTP request headers to block oversized inputs.