2392939 – (CVE-2025-52494) CVE-2025-52494 aws: AdaCore AWS: Missing SSL handshake timeout can cause denial of service

Bug 2392939 (CVE-2025-52494) - CVE-2025-52494 aws: AdaCore AWS: Missing SSL handshake timeout can cause denial of service

Summary: CVE-2025-52494 aws: AdaCore AWS: Missing SSL handshake timeout can cause deni...

Keywords:
Status:	NEW
Alias:	CVE-2025-52494
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2402593 2402592
Blocks:
TreeView+	depends on / blocked

Reported:	2025-09-03 18:01 UTC by OSIDB Bzimport
Modified:	2025-10-08 23:01 UTC (History)
CC List:	0 users
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2025-09-03 18:01:20 UTC

Adacore Ada Web Server (AWS) before 25.2 is vulnerable to a denial-of-service (DoS) condition due to improper handling of SSL handshakes during connection initialization. When a client initiates an HTTPS connection, the server performs the SSL handshake before assigning the connection to a processing slot. However, there is no specific timeout set for this phase, and the server uses the default socket timeout, which is effectively infinite. An attacker can exploit this by sending a malformed TLS ClientHello message with incorrect length values. This causes the server to wait indefinitely for data that never arrives, blocking the worker thread (Line) handling the connection. By opening multiple such connections, up to the server's maximum limit, the attacker can exhaust all available working threads, preventing the server from handling new, legitimate requests.

Note You need to log in before you can comment on or make changes to this bug.