High severity7.5NVD Advisory· Published Sep 29, 2017· Updated May 13, 2026

CVE-2017-9790

Description

A missing check in Apache Mesos libprocess causes denial of service via empty request path.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A missing check in Apache Mesos libprocess causes denial of service via empty request path.

Vulnerability

In Apache Mesos, the libprocess library incorrectly assumes that the path in an HTTP request always starts with '/'. When handling a libprocess message wrapped in an HTTP request, if the request path is empty, the parser crashes. This affects versions before 1.1.3, 1.2.x before 1.2.2, 1.3.x before 1.3.1, and 1.4.0-dev [1].

Exploitation

An attacker can exploit this vulnerability by sending a crafted HTTP request with an empty path to a Mesos master. No authentication or special privileges are required; the attacker only needs network access to the master. The request triggers a crash in the libprocess parser [1].

Impact

Successful exploitation results in a denial of service of the Mesos master, rendering the entire Mesos cluster inoperable until the master is restarted. The crash is due to a segmentation fault caused by the unexpected empty path [1].

Mitigation

Apache Mesos has fixed this vulnerability in versions 1.1.3, 1.2.2, 1.3.1, and later. Users should upgrade to one of these patched versions. No workarounds are documented. The vulnerability is not listed on the CISA KEV [1].

References

NVD - CVE-2017-9790

AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
org.apache.mesos:mesosMaven	< 1.1.3	1.1.3
org.apache.mesos:mesosMaven	>= 1.2.0, < 1.2.2	1.2.2
org.apache.mesos:mesosMaven	>= 1.3.0, < 1.3.1	1.3.1

Affected products

Apache/Mesos6 versions
cpe:2.3:a:apache:mesos:*:*:*:*:*:*:*:*+ 5 more
- cpe:2.3:a:apache:mesos:*:*:*:*:*:*:*:*range: <=1.1.2
- cpe:2.3:a:apache:mesos:1.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:apache:mesos:1.2.1:*:*:*:*:*:*:*
- cpe:2.3:a:apache:mesos:1.3.0:*:*:*:*:*:*:*
- cpe:2.3:a:apache:mesos:1.3.1:*:*:*:*:*:*:*
- cpe:2.3:a:apache:mesos:1.4.0-dev:*:*:*:*:*:*:*
ghsa-coords
pkg:maven/org.apache.mesos/mesos
Range: < 1.1.3
Apache Software Foundation/Apache Mesosv5
Range: versions prior to 1.1.3

Patches

39606e1037bb

Rejected libprocess HTTP requests with empty path.

https://github.com/apache/mesosAlexander RukletsovJul 4, 2017Fixed in 1.1.3via llm-release-walk

commit

1 file changed · +26 −16

3rdparty/libprocess/src/process.cpp+26 −16 modified

@@ -639,6 +639,11 @@ static Message* parse(Request* request)
     return nullptr;
   }
 
+  // Check that URL path is present and starts with '/'.
+  if (request.url.path.find('/') != 0) {
+    return Failure("Request URL path must start with '/'");
+  }
+
   // Now determine 'to'.
   size_t index = request->url.path.find('/', 1);
   index = index != string::npos ? index - 1 : string::npos;
@@ -2501,6 +2506,26 @@ void ProcessManager::handle(
 {
   CHECK(request != nullptr);
 
+  // Start by checking that the path starts with a '/'.
+  if (request->url.path.find('/') != 0) {
+    VLOG(1) << "Returning '400 Bad Request' for '" << request->url.path << "'";
+
+    // Get the HttpProxy pid for this socket.
+    PID<HttpProxy> proxy = socket_manager->proxy(socket);
+
+    // Enqueue the response with the HttpProxy so that it respects the
+    // order of requests to account for HTTP/1.1 pipelining.
+    dispatch(
+        proxy,
+        &HttpProxy::enqueue,
+        BadRequest("Request URL path must start with '/'"),
+        *request);
+
+    // Cleanup request.
+    delete request;
+    return;
+  }
+
   // Check if this is a libprocess request (i.e., 'User-Agent:
   // libprocess/id@ip:port') and if so, parse as a message.
   if (libprocess(request)) {
@@ -2543,22 +2568,7 @@ void ProcessManager::handle(
     return;
   }
 
-  // Treat this as an HTTP request. Start by checking that the path
-  // starts with a '/' (since the code below assumes as much).
-  if (request->url.path.find('/') != 0) {
-    VLOG(1) << "Returning '400 Bad Request' for '" << request->url.path << "'";
-
-    // Get the HttpProxy pid for this socket.
-    PID<HttpProxy> proxy = socket_manager->proxy(socket);
-
-    // Enqueue the response with the HttpProxy so that it respects the
-    // order of requests to account for HTTP/1.1 pipelining.
-    dispatch(proxy, &HttpProxy::enqueue, BadRequest(), *request);
-
-    // Cleanup request.
-    delete request;
-    return;
-  }
+  // Treat this as an HTTP request.
 
   // Ignore requests with relative paths (i.e., contain "/..").
   if (request->url.path.find("/..") != string::npos) {

Vulnerability mechanics

Root cause

"Missing input validation in the libprocess HTTP parser allows a request with an empty path to trigger a crash because the code assumes the path always starts with '/' before performing string operations."

Attack vector

An unauthenticated attacker sends a crafted HTTP request to a Mesos master (or any libprocess-based component) where the request path is empty (e.g., `GET HTTP/1.1`). The libprocess parser does not check that the path starts with `'/'` before performing string operations, causing a crash. Because the CVSS vector indicates network-based exploitation with no privileges required, the attacker can repeatedly send such requests to cause a sustained denial of service, rendering the Mesos cluster inoperable.

Affected code

The vulnerability resides in `3rdparty/libprocess/src/process.cpp`. The `parse()` function (line ~639) and the `ProcessManager::handle()` function (line ~2501) both assume the request URL path starts with `'/'`. When a libprocess message wrapped in an HTTP request arrives with an empty path, the parser proceeds to use `string::find` and `string::npos` arithmetic on the path without validating its format, leading to a crash.

What the fix does

The patch adds a guard at the top of both `parse()` and `handle()` that checks `request.url.path.find('/') != 0` and returns a `400 Bad Request` response (or a `Failure`) if the path does not start with `'/'`. In `handle()` the check was moved before the libprocess-message parsing branch so that malformed requests are rejected early, preventing the crash. The commit message notes that this dual validation is necessary because `parse()` may receive unvalidated requests.

Preconditions

configThe target must be running a libprocess-based component (e.g., Mesos master) on a version before the fix.
networkThe attacker must be able to send HTTP requests to the target over the network.
authNo authentication is required (CVSS:3.0 PR:N).
inputThe request path must be empty (e.g., no path component in the HTTP request line).

Generated on May 23, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

www.securityfocus.com/bid/101023nvdThird Party AdvisoryVDB EntryWEB
github.com/advisories/GHSA-vpcv-78cp-whr3ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2017-9790ghsaADVISORY
lists.apache.org/thread.html/cc1e7a69ea78da0511f5b54b6be7aa6e3c78edad5aaff430e7de028b@%3Cdev.mesos.apache.org%3EghsaWEB
lists.apache.org/thread.html/cc1e7a69ea78da0511f5b54b6be7aa6e3c78edad5aaff430e7de028b%40%3Cdev.mesos.apache.org%3Envd

News mentions

No linked articles in our index yet.

cvss	0.488
epss	0.002
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000