CVE-2018-1330
Description
Apache Mesos 1.4.0–1.5.0 libprocess crashes via malformed JSON or chunked HTTP trailers, enabling denial of service of Mesos masters.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Apache Mesos 1.4.0–1.5.0 libprocess crashes via malformed JSON or chunked HTTP trailers, enabling denial of service of Mesos masters.
Vulnerability
libprocess in Apache Mesos versions 1.4.0 to 1.5.0 [1] contains two denial-of-service weaknesses. First, parsing a malformed JSON payload triggers an uncaught exception, causing a crash. Second, parsing chunked HTTP requests with trailers hits a mistakenly planted assertion, also leading to a crash. Both code paths are reachable without special configuration beyond having libprocess listen for HTTP requests.
Exploitation
An attacker can send a crafted JSON payload or a chunked HTTP request with malicious trailers to a Mesos master's libprocess endpoint. No authentication is required; the attacker only needs network access to the target master's port. The malformed input triggers either the uncaught exception or the assertion, crashing the process.
Impact
A successful exploit causes a denial of service of the targeted Mesos master, rendering the entire Mesos-controlled cluster inoperable because masters coordinate resource offers and task scheduling. The crash can be repeated to maintain the outage.
Mitigation
Apache Mesos released version 1.5.1 (and later) with the fix; users should upgrade to 1.5.1 or newer [1]. No workarounds are documented in the available references. The vulnerability is not known to be listed in CISA's KEV.
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.mesos:mesosMaven | >= 1.4.0, < 1.6.0 | 1.6.0 |
Affected products
16- osv-coords15 versionspkg:apk/chainguard/spark-3.5pkg:apk/chainguard/spark-3.5-scala-2.12-compatpkg:apk/chainguard/spark-3.5-scala-2.12-iamguarded-compatpkg:apk/chainguard/spark-3.5-scala-2.13pkg:apk/chainguard/spark-3.5-scala-2.13-compatpkg:apk/chainguard/spark-fips-3.5pkg:apk/chainguard/spark-fips-3.5-scala-2.12-compatpkg:apk/chainguard/spark-fips-3.5-scala-2.13pkg:apk/chainguard/spark-fips-3.5-scala-2.13-compatpkg:apk/wolfi/spark-3.5pkg:apk/wolfi/spark-3.5-scala-2.12-compatpkg:apk/wolfi/spark-3.5-scala-2.12-iamguarded-compatpkg:apk/wolfi/spark-3.5-scala-2.13pkg:apk/wolfi/spark-3.5-scala-2.13-compatpkg:maven/org.apache.mesos/mesos
< 3.5.7-r2+ 14 more
- (no CPE)range: < 3.5.7-r2
- (no CPE)range: < 3.5.7-r2
- (no CPE)range: < 3.5.7-r2
- (no CPE)range: < 3.5.7-r2
- (no CPE)range: < 3.5.7-r2
- (no CPE)range: < 3.5.4-r17
- (no CPE)range: < 3.5.4-r17
- (no CPE)range: < 3.5.4-r17
- (no CPE)range: < 3.5.4-r17
- (no CPE)range: < 3.5.7-r2
- (no CPE)range: < 3.5.7-r2
- (no CPE)range: < 3.5.7-r2
- (no CPE)range: < 3.5.7-r2
- (no CPE)range: < 3.5.7-r2
- (no CPE)range: >= 1.4.0, < 1.6.0
- Apache Software Foundation/Apache Mesosv5Range: 1.4.0 to 1.5.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-95q3-pppp-r683ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2018-1330ghsaADVISORY
- lists.apache.org/thread.html/395cb6bcf367702acd1e580a1f39b56cdd7a5953d0368b4c1adb1dde%40%3Cdev.mesos.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/395cb6bcf367702acd1e580a1f39b56cdd7a5953d0368b4c1adb1dde@%3Cdev.mesos.apache.org%3EghsaWEB
News mentions
0No linked articles in our index yet.