CVE-2024-48714
Description
In TP-Link TL-WDR7660 v1.0, the guestRuleJsonToBin function handles the parameter string name without checking it, which can lead to stack overflow vulnerabilities.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Stack overflow in TP-Link TL-WDR7660 v1.0 guestRuleJsonToBin function via unchecked 'name' parameter allows denial of service.
Vulnerability
The guestRuleJsonToBin function in TP-Link TL-WDR7660 v1.0 does not validate the length of the name parameter, leading to a stack overflow when a long string is provided [1]. The vulnerability exists in the firmware version v1.0 and is reachable through the web interface's guest network configuration endpoint.
Exploitation
An attacker with network access to the router's web interface and a valid authentication cookie can send a crafted HTTP POST request to the /stok=... endpoint [1]. The request includes a JSON payload with an excessively long name field (e.g., "a"*0x100000), which triggers the overflow in guestRuleJsonToBin when processing the guest network settings [1].
Impact
Successful exploitation causes a stack overflow, resulting in a denial of service where the guest network configuration becomes unresponsive [1]. The router may crash or become unstable, preventing legitimate modifications to guest network rules.
Mitigation
As of the publication date (2024-10-15), no official patch has been released for this vulnerability [1]. Users should monitor TP-Link for firmware updates and restrict access to the web interface to trusted networks as a temporary workaround.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2(expand)+ 1 more
- (no CPE)
- (no CPE)range: 1.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1News mentions
0No linked articles in our index yet.