CVE-2024-22086: 
NixOS vulnerability analysis and mitigation

CVE-2024-22086 is a critical security vulnerability discovered in the cherry web server through version 4b877df. The vulnerability was disclosed on January 4, 2024, and affects the handle_request function in http.c. The flaw allows remote attackers to trigger a stack-based buffer overflow via a long URI, which could lead to remote code execution (NVD).

The vulnerability exists in the handle_request function at line 54 of http.c, where an unbounded sscanf() call is used to parse HTTP request components: sscanf(buf, "%s %s %s", method, uri, version). This implementation fails to limit the number of characters read into each string buffer, leading to a stack buffer overflow when processing maliciously crafted URIs. The vulnerability has received a CVSS v3.1 base score of 9.8 (CRITICAL) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H (NVD).

The vulnerability allows attackers to execute arbitrary code remotely by sending specially crafted HTTP requests with excessively long URIs. When exploited, this could lead to complete system compromise, allowing attackers to gain unauthorized access to the affected system with the same privileges as the cherry server process (GitHub Issue).

The recommended mitigation is to modify the sscanf format string to specify maximum field widths, preventing buffer overflow. The suggested fix is to change the vulnerable code to: sscanf(buf, "%5000s %300s %300s", method, uri, version). This limits the number of characters read into each buffer, ensuring they cannot overflow (GitHub Issue).