Cyber Resilience

CVE-2026-25577

High

Published: 10 February 2026

Published
10 February 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0008 23.4th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-25577 is a high-severity Uncaught Exception (CWE-248) vulnerability. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 23.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-11 (Error Handling).

Deeper analysis

CVE-2026-25577 affects the Emmett framework, a tool designed to simplify development processes, specifically in versions prior to 1.3.11. The vulnerability resides in the cookies property of the mmett_core.http.wrappers.Request component, which fails to handle CookieError exceptions during parsing of malformed Cookie headers. This unhandled exception leads to HTTP 500 errors. The issue is rated with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) and is associated with CWE-248 (Uncaught Exception) and CWE-307 (Improper Restriction of Excessive Authentication Attempts, though primarily manifesting as a DoS vector).

Unauthenticated remote attackers can exploit this vulnerability by sending HTTP requests with specially crafted, malformed Cookie headers to any endpoint processed by the affected Request wrapper. Successful exploitation triggers the unhandled exception, resulting in server-side HTTP 500 errors and potential denial of service through resource exhaustion or service unavailability, without requiring privileges, user interaction, or impacting confidentiality or integrity.

The Emmett framework maintainers addressed this in version 1.3.11, as detailed in the fix commit at https://github.com/emmett-framework/core/commit/9557ea23a27cbadf7774d8bca6bbe4b54fa8a3ec and the GitHub security advisory at https://github.com/emmett-framework/core/security/advisories/GHSA-x6cr-mq53-cc76. Security practitioners should upgrade to Emmett 1.3.11 or later to mitigate the issue, and review deployments for exposure to unauthenticated HTTP traffic.

EU & UK References

Vulnerability details

Emmett is a framework designed to simplify your development process. Prior to 1.3.11, the cookies property in mmett_core.http.wrappers.Request does not handle CookieError exceptions when parsing malformed Cookie headers. This allows unauthenticated attackers to trigger HTTP 500 errors and cause denial…

more

of service. This vulnerability is fixed in 1.3.11.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

The unhandled CookieError exception from malformed headers directly enables remote unauthenticated application exploitation to crash the service and produce DoS (T1499.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-20171Shared CWE-248
CVE-2026-32770Shared CWE-248
CVE-2026-31870Shared CWE-248
CVE-2026-34752Shared CWE-248
CVE-2026-24175Shared CWE-248
CVE-2024-55008Shared CWE-307
CVE-2026-32314Shared CWE-248
CVE-2026-37554Shared CWE-248
CVE-2025-20172Shared CWE-248
CVE-2026-44001Shared CWE-248

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-11 requires secure error handling to prevent unhandled CookieError exceptions from causing HTTP 500 errors and DoS in the Emmett framework's Request wrapper.

prevent

SI-10 enforces validation of HTTP Cookie headers to block malformed inputs that trigger exceptions in the cookies property of mmett_core.http.wrappers.Request.

prevent

SI-2 mandates timely flaw remediation by upgrading to Emmett 1.3.11 or later, which fixes the unhandled exception vulnerability.

References