cvedb.io
CVE-2025-52494
HIGH · CVSS 7.5
EPSS exploitation probability: 0%
Published 2025-09-03T18:15:35.120 · Last modified 2026-06-17T09:36:35.970

Summary

Adacore Ada Web Server (AWS) before 25.2 is vulnerable to a denial-of-service (DoS) condition due to improper handling of SSL handshakes during connection initialization. When a client initiates an HTTPS connection, the server performs the SSL handshake before assigning the connection to a processing slot. However, there is no specific timeout set for this phase, and the server uses the default socket timeout, which is effectively infinite. An attacker can exploit this by sending a malformed TLS ClientHello message with incorrect length values. This causes the server to wait indefinitely for data that never arrives, blocking the worker thread (Line) handling the connection. By opening multiple such connections, up to the server's maximum limit, the attacker can exhaust all available workin

Affected products

adacore — ada_web_server

Does this affect you?

Add your gear to cvedb and we'll alert you only when adacore ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.