High severity7.5NVD Advisory· Published Sep 29, 2017· Updated May 13, 2026

CVE-2017-7687

Description

A malformed URL path in Apache Mesos libprocess causes a crash due to an inappropriate function call, enabling denial of service of Mesos masters.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A malformed URL path in Apache Mesos libprocess causes a crash due to an inappropriate function call, enabling denial of service of Mesos masters.

Vulnerability

In Apache Mesos, the libprocess library handles HTTP requests. When a malformed URL path causes a decoding failure, the code inadvertently calls an inappropriate function, leading to a crash [1]. This affects versions before 1.1.3, 1.2.x before 1.2.2, 1.3.x before 1.3.1, and 1.4.0-dev.

Exploitation

An attacker with network access to a Mesos master can send a crafted HTTP request containing a malformed URL path. The request triggers a decoding failure in libprocess, which then calls an incorrect function, causing the master process to crash. No authentication or user interaction is required.

Impact

Successful exploitation results in a denial of service of the Mesos master, rendering the entire Mesos-controlled cluster inoperable. The crash does not lead to data loss or code execution, but the cluster becomes unavailable until the master is restarted.

Mitigation

The vulnerability is fixed in Apache Mesos versions 1.1.3, 1.2.2, 1.3.1, and later. Users should upgrade to these versions or apply the appropriate patch. No workarounds are documented. This CVE is not listed in the CISA Known Exploited Vulnerabilities catalog.

References

NVD - CVE-2017-7687

AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
org.apache.mesos:mesosMaven	< 1.1.3	1.1.3
org.apache.mesos:mesosMaven	>= 1.2.0, < 1.2.2	1.2.2
org.apache.mesos:mesosMaven	>= 1.3.0, < 1.3.1	1.3.1

Affected products

Apache/Mesos6 versions
cpe:2.3:a:apache:mesos:*:*:*:*:*:*:*:*+ 5 more
- cpe:2.3:a:apache:mesos:*:*:*:*:*:*:*:*range: <=1.1.2
- cpe:2.3:a:apache:mesos:1.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:apache:mesos:1.2.1:*:*:*:*:*:*:*
- cpe:2.3:a:apache:mesos:1.3.0:*:*:*:*:*:*:*
- cpe:2.3:a:apache:mesos:1.3.1:*:*:*:*:*:*:*
- cpe:2.3:a:apache:mesos:1.4.0-dev:*:*:*:*:*:*:*
ghsa-coords
pkg:maven/org.apache.mesos/mesos
Range: < 1.1.3
Apache Software Foundation/Apache Mesosv5
Range: versions prior to 1.1.3

Patches

d030f5c88eda

Fixed a crash in libprocess when failing to decode a request path.

https://github.com/apache/mesosBenjamin MahlerJun 16, 2017Fixed in 1.1.3via llm-release-walk

commit

1 file changed · +1 −1

3rdparty/libprocess/src/process.cpp+1 −1 modified

@@ -647,7 +647,7 @@ static Message* parse(Request* request)
   Try<string> decode = http::decode(request->url.path.substr(1, index));
 
   if (decode.isError()) {
-    VLOG(2) << "Failed to decode URL path: " << decode.get();
+    VLOG(2) << "Failed to decode URL path: " << decode.error();
     return nullptr;
   }

39606e1037bb

Rejected libprocess HTTP requests with empty path.

https://github.com/apache/mesosAlexander RukletsovJul 4, 2017Fixed in 1.1.3via llm-release-walk

commit

1 file changed · +26 −16

3rdparty/libprocess/src/process.cpp+26 −16 modified

@@ -639,6 +639,11 @@ static Message* parse(Request* request)
     return nullptr;
   }
 
+  // Check that URL path is present and starts with '/'.
+  if (request.url.path.find('/') != 0) {
+    return Failure("Request URL path must start with '/'");
+  }
+
   // Now determine 'to'.
   size_t index = request->url.path.find('/', 1);
   index = index != string::npos ? index - 1 : string::npos;
@@ -2501,6 +2506,26 @@ void ProcessManager::handle(
 {
   CHECK(request != nullptr);
 
+  // Start by checking that the path starts with a '/'.
+  if (request->url.path.find('/') != 0) {
+    VLOG(1) << "Returning '400 Bad Request' for '" << request->url.path << "'";
+
+    // Get the HttpProxy pid for this socket.
+    PID<HttpProxy> proxy = socket_manager->proxy(socket);
+
+    // Enqueue the response with the HttpProxy so that it respects the
+    // order of requests to account for HTTP/1.1 pipelining.
+    dispatch(
+        proxy,
+        &HttpProxy::enqueue,
+        BadRequest("Request URL path must start with '/'"),
+        *request);
+
+    // Cleanup request.
+    delete request;
+    return;
+  }
+
   // Check if this is a libprocess request (i.e., 'User-Agent:
   // libprocess/id@ip:port') and if so, parse as a message.
   if (libprocess(request)) {
@@ -2543,22 +2568,7 @@ void ProcessManager::handle(
     return;
   }
 
-  // Treat this as an HTTP request. Start by checking that the path
-  // starts with a '/' (since the code below assumes as much).
-  if (request->url.path.find('/') != 0) {
-    VLOG(1) << "Returning '400 Bad Request' for '" << request->url.path << "'";
-
-    // Get the HttpProxy pid for this socket.
-    PID<HttpProxy> proxy = socket_manager->proxy(socket);
-
-    // Enqueue the response with the HttpProxy so that it respects the
-    // order of requests to account for HTTP/1.1 pipelining.
-    dispatch(proxy, &HttpProxy::enqueue, BadRequest(), *request);
-
-    // Cleanup request.
-    delete request;
-    return;
-  }
+  // Treat this as an HTTP request.
 
   // Ignore requests with relative paths (i.e., contain "/..").
   if (request->url.path.find("/..") != string::npos) {

Vulnerability mechanics

Root cause

"Calling `.get()` instead of `.error()` on a failed `Try` object when URL path decoding fails causes a crash."

Attack vector

An unauthenticated attacker sends a crafted HTTP request with a malformed URL path (e.g., an empty path or a path that fails URL decoding) to a libprocess-based Mesos master. The `parse()` function encounters a decoding error and, due to the bug, calls `decode.get()` on a `Try` that is in an error state, causing a crash. This results in a denial of service of the Mesos master, rendering the cluster inoperable. No authentication or special network position is required.

Affected code

The vulnerability is in `3rdparty/libprocess/src/process.cpp`. The `parse()` function (line ~647) calls `decode.get()` instead of `decode.error()` when a URL path decoding failure occurs, causing a crash. Additionally, the `parse()` function lacks a check for an empty or malformed URL path, which can trigger the decoding failure path.

What the fix does

Patch [patch_id=1666654] corrects the single-line bug: `decode.get()` is replaced with `decode.error()`. When `decode.isError()` is true, calling `.get()` on a `Try` that holds an error is undefined behavior and causes a crash; `.error()` safely retrieves the error message for logging. Patch [patch_id=1666653] adds a defensive check at the top of `parse()` to reject requests whose URL path does not start with '/', preventing the malformed path from reaching the decoding logic. It also moves an existing path validation check earlier in `handle()` so that both libprocess and HTTP requests are validated before any processing occurs.

Preconditions

networkAttacker must be able to send HTTP requests to a Mesos master's libprocess endpoint
authNo authentication required
inputThe URL path must be malformed (e.g., empty or containing invalid percent-encoding) to trigger the decoding failure

Generated on May 23, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

www.securityfocus.com/bid/101027nvdThird Party AdvisoryVDB EntryWEB
github.com/advisories/GHSA-x869-784m-jmj2ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2017-7687ghsaADVISORY
lists.apache.org/thread.html/2c9ed2b07c2b2831a11d21db3cf8408a71fcf2c300d73ca01bad89df@%3Cdev.mesos.apache.org%3EghsaWEB
lists.apache.org/thread.html/2c9ed2b07c2b2831a11d21db3cf8408a71fcf2c300d73ca01bad89df%40%3Cdev.mesos.apache.org%3Envd

News mentions

No linked articles in our index yet.

cvss	0.488
epss	0.003
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000