CVE-2019-25330

SurfOffline Professional 2.2.0.103 contains a structured exception handler (SEH) overflow vulnerability that allows attackers to crash the application by manipulating the project name input. Attackers can generate a malicious payload of 382 'A' characters followed by specific byte sequences to trigger a denial of service condition and overwrite SEH registers.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://web.archive.org/web/20190717003929/http://www.bimesoft.com/
https://www.exploit-db.com/exploits/47795
https://www.softpedia.com/get/Internet/Offline-Browsers/SurfOffline.shtml
https://www.vulncheck.com/advisories/surfoffline-professional-project-name-denial-of-se

Configurations

No configuration.

History

15 Apr 2026, 00:35

Type	Values Removed	Values Added
Summary		(es) SurfOffline Professional 2.2.0.103 contiene una vulnerabilidad de desbordamiento del controlador de excepciones estructuradas (SEH) que permite a los atacantes bloquear la aplicación manipulando la entrada del nombre del proyecto. Los atacantes pueden generar una carga útil maliciosa de 382 caracteres 'A' seguida de secuencias de bytes específicas para desencadenar una condición de denegación de servicio y sobrescribir los registros SEH.

12 Feb 2026, 23:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-02-12 23:16

Updated : 2026-04-15 00:35

NVD link : CVE-2019-25330

Mitre link : CVE-2019-25330

CVE.ORG link : CVE-2019-25330

JSON object : View

Products Affected

No product.

CWE

CWE-121

Stack-based Buffer Overflow

{"id": "CVE-2019-25330", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "disclosure@vulncheck.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 3.9}], "cvssMetricV40": [{"type": "Secondary", "source": "disclosure@vulncheck.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 6.7, "Automatable": "NOT_DEFINED", "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "ACTIVE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-02-12T23:16:05.490", "references": [{"url": "https://web.archive.org/web/20190717003929/http://www.bimesoft.com/", "source": "disclosure@vulncheck.com"}, {"url": "https://www.exploit-db.com/exploits/47795", "source": "disclosure@vulncheck.com"}, {"url": "https://www.softpedia.com/get/Internet/Offline-Browsers/SurfOffline.shtml", "source": "disclosure@vulncheck.com"}, {"url": "https://www.vulncheck.com/advisories/surfoffline-professional-project-name-denial-of-se", "source": "disclosure@vulncheck.com"}], "vulnStatus": "Deferred", "weaknesses": [{"type": "Primary", "source": "disclosure@vulncheck.com", "description": [{"lang": "en", "value": "CWE-121"}]}], "descriptions": [{"lang": "en", "value": "SurfOffline Professional 2.2.0.103 contains a structured exception handler (SEH) overflow vulnerability that allows attackers to crash the application by manipulating the project name input. Attackers can generate a malicious payload of 382 'A' characters followed by specific byte sequences to trigger a denial of service condition and overwrite SEH registers."}, {"lang": "es", "value": "SurfOffline Professional 2.2.0.103 contiene una vulnerabilidad de desbordamiento del controlador de excepciones estructuradas (SEH) que permite a los atacantes bloquear la aplicaci\u00f3n manipulando la entrada del nombre del proyecto. Los atacantes pueden generar una carga \u00fatil maliciosa de 382 caracteres 'A' seguida de secuencias de bytes espec\u00edficas para desencadenar una condici\u00f3n de denegaci\u00f3n de servicio y sobrescribir los registros SEH."}], "lastModified": "2026-04-15T00:35:42.020", "sourceIdentifier": "disclosure@vulncheck.com"}