CVEReports
CVEReports

Automated vulnerability intelligence platform. Comprehensive reports for high-severity CVEs generated by AI.

Product

  • Home
  • Sitemap
  • RSS Feed

Company

  • About
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CVEReports. All rights reserved.

Made with love by Amit Schendel & Alon Barad

CVE-2014-0160

Heartbleed: The 64KB Key to the Kingdom

Alon Barad
Alon Barad
Software Engineer

Jan 2, 2026·7 min read·26 visits

Executive Summary (TL;DR)

OpenSSL trusted the user-supplied length field in Heartbeat packets without verifying the actual payload size. This allowed attackers to 'over-read' the heap, leaking sensitive data like SSL private keys and user passwords. It affected nearly two-thirds of the internet upon disclosure.

A catastrophic missing bounds check in the OpenSSL Heartbeat extension allowed remote attackers to read up to 64KB of process memory, exposing private keys, session tokens, and user credentials.

Official Patches

OpenSSLOpenSSL Security Advisory [07 Apr 2014]

Fix Analysis (1)

Technical Appendix

CVSS Score
7.5/ 10
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Probability
94.47%
Top 1% most exploited
200,000
via Shodan

Affected Systems

Apache HTTP ServernginxOpenVPNEmail Servers (SMTP/IMAP/POP3)Load BalancersEmbedded IoT Devices

Affected Versions Detail

Product
Affected Versions
Fixed Version
OpenSSL
OpenSSL Software Foundation
1.0.1 - 1.0.1f1.0.1g
AttributeDetail
CWE IDCWE-126 (Buffer Over-read)
CVSS Score7.5 (High)
Attack VectorNetwork
EPSS Score94.47%
Exploit StatusActive / Weaponized
ImpactInformation Disclosure (Critical)

MITRE ATT&CK Mapping

T1592Gather Victim Host Information
Reconnaissance
T1555Credentials from Password Stores
Credential Access
T1040Network Sniffing
Credential Access
CWE-126
Buffer Over-read

The software reads from a buffer using length parameters that attacker can control, allowing access to memory outside the intended buffer.

Known Exploits & Detection

MetasploitMetasploit module for scanning and dumping memory from Heartbleed-vulnerable servers.
ExploitDBPython script for testing and exploiting CVE-2014-0160.
NucleiDetection Template Available

Vulnerability Timeline

Vulnerability discovered by Google Security and Codenomicon
2014-03-21
Public Disclosure and Patch Release (OpenSSL 1.0.1g)
2014-04-07
Added to CISA KEV Catalog
2022-05-04

References & Sources

  • [1]Heartbleed.com Official Info
  • [2]XKCD Explanation of Heartbleed

Attack Flow Diagram

Press enter or space to select a node. You can then use the arrow keys to move the node around. Press delete to remove it and escape to cancel.
Press enter or space to select an edge. You can then press delete to remove it or escape to cancel.

More Reports

•10 minutes ago•GHSA-69QJ-PVH9-C5WG
7.5

GHSA-69QJ-PVH9-C5WG: Command Injection in yt-dlp `--exec` Option

An OS command injection vulnerability in yt-dlp before 2026.06.09 allows unauthenticated remote attackers to execute arbitrary shell commands via crafted media metadata when a user processes media using the --exec post-processing parameter with unsafe string interpolation conversions.

Alon Barad
Alon Barad
0 views•7 min read
•about 1 hour ago•GHSA-7CX2-G3H9-382P
8.1

GHSA-7CX2-G3H9-382P: Multiple Vulnerabilities in Crawl4AI Docker API (Arbitrary File Write, SSRF, CRLF Log Injection)

An in-depth technical analysis of multiple security vulnerabilities in the self-hosted Docker API server of Crawl4AI up to version 0.8.7. These flaws include a critical arbitrary file write via symlink traversal and TOCTOU weakness, CRLF log injection, webhook header injection, and SSRF filter gaps. These have been remediated in version 0.8.8.

Alon Barad
Alon Barad
2 views•6 min read
•about 2 hours ago•GHSA-F989-C77F-R2CQ
8.2

GHSA-f989-c77f-r2cq: LLM Credential Exfiltration and SSRF in Crawl4AI Docker Server

A technical evaluation of the Crawl4AI open-source web crawling and scraping library revealed a high-severity credential exfiltration vulnerability in its self-hosted Dockerized API server. The flaw arises from an unvalidated base_url parameter in request payloads and a dynamic prefix resolution mechanism that retrieves system environment variables. Unauthenticated remote attackers can leverage these features in tandem to extract host-level secrets or redirect configured LLM API keys to an external listener under their control.

Amit Schendel
Amit Schendel
4 views•6 min read
•about 2 hours ago•GHSA-365W-HQF6-VXFG
9.8

GHSA-365w-hqf6-vxfg: Multiple Critical Vulnerabilities in Crawl4AI Docker API Server

The Crawl4AI Docker API server, in versions 0.8.6 and prior, contains multiple critical vulnerabilities including improper path sanitization, missing authentication on administration routes, hardcoded JWT secrets, and SSRF. These vulnerabilities allow remote, unauthenticated attackers to write arbitrary files, execute arbitrary code, and pivot into private cloud environments.

Amit Schendel
Amit Schendel
5 views•7 min read
•about 5 hours ago•GHSA-534H-C3CW-V3H9
5.5

GHSA-534h-c3cw-v3h9: Local Information Disclosure via Abstract-Namespace Socket in Nuxt Dev Server

A local security vulnerability in the Nuxt development server (nuxt dev) allows local unprivileged users to access sensitive configuration files and source code. On Linux environments running Node.js 20+, Nuxt bound its internal vite-node IPC server to an abstract-namespace Unix socket without any peer authentication, enabling co-resident local users to connect and request module code directly.

Amit Schendel
Amit Schendel
4 views•5 min read
•about 6 hours ago•GHSA-8RFP-98V4-MMR6
0.0

GHSA-8RFP-98V4-MMR6: Protocol-Filtering Bypass via Unicode Obfuscation in Mozilla Bleach

Mozilla Bleach is an open-source HTML sanitizing library for Python. Versions up to and including 6.3.0 contain an incomplete filtering implementation in the URI validation logic ('sanitize_uri_value'). This logic fails to detect disallowed protocols, such as 'javascript:', if they contain Unicode invisible characters, whitespace characters, or characters with a code point greater than U+00A0. While standard-compliant web browsers do not directly execute invalid URI schemes containing these non-standard characters, downstream systems that normalize Unicode text by stripping invisible or non-ASCII characters can unintentionally reactivate the 'javascript:' prefix, causing Cross-Site Scripting (XSS). Additionally, this behavior violates Bleach's core sanitization contract by outputting URIs that bypass protocol allowlists configured by the caller.

Amit Schendel
Amit Schendel
4 views•7 min read