Mongoose Logo Mongoose
  1. Home
  2. Security
  3. EU CRA compliance
Security and CRA compliance

EU CRA compliance starts with the networking stack

The EU Cyber Resilience Act requires manufacturers of connected products to ship without known vulnerabilities, support secure remote updates, and maintain a vulnerability handling process for the product's lifetime.

Mongoose gives you the infrastructure to meet those obligations - built-in TLS 1.3, signed OTA firmware updates with rollback, daily automated fuzzing, and AI-assisted security review on every code change.

What CRA requires - and how Mongoose delivers

No known exploitable vulnerabilities at shipment

CRA Annex I §1(a). Products must ship with no known exploitable vulnerabilities.

Daily libFuzzer runs on the full parser and TLS stack - 4+ hours every night
OSS-Fuzz continuous fuzzing, results public on the OSS-Fuzz dashboard
CodeQL static analysis on every commit
Claude AI security review on every pull request with custom scan rules
ASAN + UBSan test suite runs on every push

Secure communication - confidentiality and integrity

CRA Annex I §1(d,e). Products must protect data in transit.

Built-in TLS 1.3 stack - no external library required, works on bare-metal MCUs
Supports mbedTLS, OpenSSL, and WolfSSL for platforms with existing TLS requirements
TLS enabled by a single define; off-by-default only on resource-constrained targets
HTTPS, WSS (WebSocket Secure), and MQTT over TLS out of the box

Secure remote firmware updates

CRA Annex I §1(h) and Art. 13. Products must be updatable; updates must be secure.

OTA firmware update infrastructure built into the library (not bolted on)
Cryptographic signature verification before flash - rejects unsigned firmware
Automatic rollback if the new firmware fails a post-update health check
Supports 15+ MCU families: STM32 H5/H7/F, NXP IMXRT, ESP32, RP2040/2350, Renesas, and more

Minimal attack surface

CRA Annex I §1(b). Products must minimise attack surfaces.

Two files - mongoose.c and mongoose.h - no external package dependencies to install or manage
Small SBOM: one top-level component + six vendored crypto routines (all MIT/BSD/public domain); no transitive package graph
All protocols (HTTP, MQTT, TLS, DNS) share a single event loop - no separate library surfaces to audit
ISO C / ISO C++ compliant - no undefined behaviour by construction

Vulnerability handling process

CRA Annex I Part II. Manufacturers must have a documented vulnerability handling process.

Cesanta reviews incoming security reports and coordinates fixes
Commercial customers receive private patches before public CVE disclosure
Proactive notification to eligible commercial customers when security fixes are available
Security maintenance available for agreed product lifetimes

Access control and authentication

CRA Annex I §1(c). Products must protect against unauthorised access.

Built-in HTTP authentication framework (basic, token, custom)
Device dashboard includes role-based access control
TLS client certificate authentication for device-to-cloud mutual TLS

The alternative: owning it yourself

Building a private embedded web server means your team inherits the entire security surface indefinitely. Under CRA that means: running your own fuzzing infrastructure, triaging every incoming security report, writing fixes, verifying them, distributing patches to devices already in the field, and notifying customers - for the lifetime of the product, with documented processes and timelines.

Mongoose externalises that to a team that does it as a full-time job. You get a maintained, tested, security-reviewed networking stack, and your team focuses on your product.

Frequently asked questions

Does Mongoose fully satisfy CRA for my product?

Mongoose covers the networking layer - the part of your product that handles communication, remote updates, and web interfaces. CRA covers the whole product. Using Mongoose removes the hardest part of the security surface, but you still need to address your application logic, hardware interfaces, and process requirements (SBOM submission, incident reporting, etc.).

What is the SBOM entry for Mongoose?

Mongoose is two files with no external package dependencies. The built-in TLS stack vendors six small crypto routines inline (micro-ecc, BearSSL RSA, x25519, SHA-1, SHA-256, MD5), all under permissive licences. Your SBOM has one top-level entry plus those six sub-components - no transitive package graph to resolve or audit.

How does Mongoose handle vulnerability disclosure?

Cesanta reviews security reports, prepares fixes, and notifies commercial customers before public CVE disclosure. This gives connected device manufacturers time to deploy patches to devices in the field before vulnerabilities are publicly known.

Does Mongoose work on our MCU?

Mongoose runs on any platform with a C compiler. Built-in OTA supports STM32 (H5, H7, F series), NXP IMXRT, ESP32, RP2040/2350, Renesas RA, WCH, and others. For platforms without built-in OTA support, the MG_OTA_CUSTOM path lets you integrate Mongoose's update logic with your own flash driver.

Is commercial support available?

Yes. Commercial licences include private security notifications, maintenance SLAs, and support for specific product lifetimes. Contact us to discuss your requirements.

Ready to evaluate?

Two files. Drop them into your project and start building.

Get started Talk to us about CRA
Mongoose logo Mongoose
Mongoose is an embedded web server and all-in-one TCP/IP stack with TLS, MQTT, firmware OTA
FacebookCesanta Facebook page LinkedinCesanta Linkedin page TwitterCesanta Twitter page GithubCesanta Github page

Quick Links

Privacy Policy
Documentation
Licensing

Contact

Cesanta, 13 Edward Pl, Dublin 4, Ireland
+353 1 592 5476
support@cesanta.com