JFrog Security Research

XRAY-194046 - InterNiche HTTP server heap overflow

CVE-2021-31226 | CVSS 9.8

JFrog Severity:critical

Published 4 Aug. 2021 | Last updated 4 Aug. 2021

Heap overflow in InterNiche TCP/IP stack's HTTP server leads to remote code execution when sending a crafted HTTP POST request

InterNiche TCP/IP stack

InterNiche (, 4.3), fixed in 4.3

NicheStack (also known as InterNiche stack) is a proprietary TCP/IP stack developed originally by InterNiche Technologies and acquired by HCC Embedded in 2016. A heap-based buffer overflow was discovered when the NicheStack HTTP server parses HTTP POST packets. CVE-2021-31226 occurs during the parsing of the HTTP Request URI field in the function ht_readmsg. After making sure the packet has a valid Content-Length header value, the parsing logic gets the pointer to the request URI (requri) by calling ht_nextarg on the HTTP request’s buffer and stores this pointer in the header_struct->fi->requri. A request URI string larger than 52 bytes will overflow into the fixed-size heap buffer via a vulnerable strcpy call. Note that the HTTP server is optional, and may be disabled or compiled-out entirely.

No PoC is supplied for this issue

If not needed, disable the NicheStack HTTP server through the NicheStack CLI

(JFrog) INFRA:HALT New Vulnerabilities Impacting OT and Critical Infrastructure