Vulnerability Description
Adacore Ada Web Server (AWS) before 25.2 is vulnerable to a denial-of-service (DoS) condition due to improper handling of SSL handshakes during connection initialization. When a client initiates an HTTPS connection, the server performs the SSL handshake before assigning the connection to a processing slot. However, there is no specific timeout set for this phase, and the server uses the default socket timeout, which is effectively infinite. An attacker can exploit this by sending a malformed TLS ClientHello message with incorrect length values. This causes the server to wait indefinitely for data that never arrives, blocking the worker thread (Line) handling the connection. By opening multiple such connections, up to the server's maximum limit, the attacker can exhaust all available working threads, preventing the server from handling new, legitimate requests.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Adacore | Ada Web Server | < 26.0 |
Related Weaknesses (CWE)
References
- https://adacore.comProduct
- https://docs.adacore.com/corp/security-advisories/SEC.AWS-0095-v1.pdfTechnical DescriptionVendor Advisory
FAQ
What is CVE-2025-52494?
CVE-2025-52494 is a vulnerability with a CVSS score of 7.5 (HIGH). Adacore Ada Web Server (AWS) before 25.2 is vulnerable to a denial-of-service (DoS) condition due to improper handling of SSL handshakes during connection initialization. When a client initiates an HT...
How severe is CVE-2025-52494?
CVE-2025-52494 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2025-52494?
Check the references section above for vendor advisories and patch information. Affected products include: Adacore Ada Web Server.