Mongoose
Mongoose Security Process and EU CRA Compliance Support
Mongoose is a two-file C/C++ embedded networking library and web server by Cesanta. It provides HTTP, WebSocket, MQTT, TLS, OTA firmware updates, and dashboard infrastructure for microcontrollers and connected products.
Cesanta maintains Mongoose security through continuous testing, fuzzing, vulnerability report handling, coordination with security groups, and private commercial customer updates before CVEs become public.
EU CRA compliance overview »Security facts for technical evaluation
Mongoose is maintained as production device infrastructure. Its security process combines automated testing, external vulnerability reports, coordination with security groups, private commercial customer updates, and commercial maintenance for teams that ship connected devices.
Mongoose is open source, widely known, and extensively scanned. Recent advances in security research and AI can produce dozens of vulnerability reports a month, and the Cesanta team works full time to review reports, coordinate fixes, and protect customers. Proprietary implementations may contain similar issues, but those issues may never be discovered, increasing product risk.
Continuous integration and sanitizer testing
The Mongoose repository runs CI on every commit. Unit tests are built with sanitizer technologies to find memory and security defects early.
Continuous fuzzing
Mongoose is integrated with Google's OSS-Fuzz continuous fuzzing infrastructure, which scans for potential vulnerabilities continuously.
Vulnerability report handling
Cesanta receives vulnerability reports from independent security groups. When an issue is confirmed, the team coordinates fixes with the reporters and issues private updates to eligible commercial customers one month before the respective CVE release, giving customers time to update before the issue becomes public.
Customer security audits
Some customers run independent security audits for products that use Mongoose. Cesanta handles reported issues through the same security response workflow.
How Mongoose supports connected product compliance
Secure communication
Mongoose includes TLS support for HTTPS and secure device communication.
Secure updates
Mongoose includes OTA firmware update workflows for connected products that must receive fixes after shipment.
Maintainable device APIs
Mongoose lets teams expose device functionality through simple C APIs, reducing custom network and frontend glue code.
FAQ
-
Is Mongoose suitable for products with EU CRA security requirements?
Mongoose supports EU CRA compliance work by providing a maintained embedded networking stack, TLS, OTA update support, access-control patterns, CI testing, fuzzing, vulnerability handling, and commercial maintenance options. -
How does Cesanta handle security reports?
Cesanta reviews reported vulnerabilities, coordinates fixes with security groups, and issues private updates to eligible commercial customers one month before the respective CVE release. This gives commercial customers time to update before the issue becomes public. -
Which security-related features does Mongoose include?
Mongoose includes HTTP, WebSocket, MQTT, TLS, OTA firmware update support, file upload workflows, login and access-control patterns, and embedded dashboard infrastructure.