Login Sign Up

CVE-2024-57435

6.5 MEDIUM
Denial of Service

📋 TL;DR

This vulnerability in macrozheng mall-tiny 1.0.1 allows attackers to cause denial-of-service by sending null data through the resource creation interface, triggering a null pointer dereference that crashes the service and prevents restart. All users running the vulnerable version are affected, particularly those with exposed authentication interfaces.

💻 Affected Systems

Products:
  • macrozheng mall-tiny
Versions: 1.0.1
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects systems with the resource creation interface enabled and accessible.

📦 What is this software?

Mall Tiny by Macrozheng

View all CVEs affecting Mall Tiny →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete service unavailability requiring manual intervention to restore functionality, potentially leading to extended downtime.

🟠

Likely Case

Service crashes requiring restart, causing temporary disruption to authenticated operations.

🟢

If Mitigated

Minimal impact with proper input validation and error handling in place.

🌐 Internet-Facing: HIGH - The vulnerability can be exploited remotely through the resource creation interface.
🏢 Internal Only: MEDIUM - Internal attackers could still exploit this to disrupt services.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires access to the resource creation interface but does not require authentication for the initial null data injection.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: Not available

Restart Required: Yes

Instructions:

1. Check for official patch from macrozheng. 2. If unavailable, implement input validation. 3. Restart service after applying fixes.

🔧 Temporary Workarounds

Input Validation Filter

all

Add server-side validation to reject null data in resource creation requests

Implement null check in resource creation endpoint: if (data == null) { return error_response; }

WAF Rule

all

Block requests with null payloads to the resource creation endpoint

Add WAF rule to detect and block requests with null/empty payloads to vulnerable endpoints

🧯 If You Can't Patch

  • Implement network segmentation to restrict access to the resource creation interface
  • Add rate limiting to prevent mass exploitation attempts

🔍 How to Verify

Check if Vulnerable:

Send a POST request with null data to the resource creation endpoint and observe if service crashes or returns error

Check Version:

Check application version in configuration files or via application info endpoint

Verify Fix Applied:

Test with null data payload - service should return proper error response without crashing

📡 Detection & Monitoring

Log Indicators:

  • Null pointer exception logs
  • Service crash/restart logs
  • Unusual resource creation requests

Network Indicators:

  • Multiple POST requests with null/empty payloads to resource endpoints
  • Sudden service unavailability

SIEM Query:

source="application.logs" AND ("NullPointerException" OR "service crashed") AND endpoint="resource/create"

📊 Metadata

CVE ID: CVE-2024-57435
CVSS v3 Score: 6.5 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-476
Published: January 31, 2025
Last Updated: April 22, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-57435, you might also want to check these:

CVE-2022-36648 10.0

This CVE describes a vulnerability in QEMU's hardware emulation where a malformed program executed i...

Same vulnerability type (CWE-476)
CVE-2022-30592 9.8

This vulnerability in LiteSpeed QUIC (LSQUIC) before version 3.1.0 involves improper handling of MAX...

Same vulnerability type (CWE-476)
CVE-2023-47003 9.8

A NULL pointer dereference vulnerability in RedisGraph allows attackers to execute arbitrary code or...

Same vulnerability type (CWE-476)