QwikSec

Security Database

CVE

CWE

Training

CVE-2025-14299

Published: Dec 20, 2025

Modified: Dec 22, 2025

PUBLISHED

Description

The HTTPS server on Tapo C200 V3 does not properly validate the Content-Length header, which can lead to an integer overflow. An unauthenticated attacker on the same local network segment can send crafted HTTPS requests to trigger excessive memory allocation, causing the device to crash and resulting in denial-of-service (DoS).

Vendor	Product	Versions
TP-Link Systems Inc.	Tapo C200 V3	affected `0 - < C200(US)_V3_1.4.5 Build 251104`

Weaknesses (CWE)

References

https://www.tp-link.com/us/support/download/tapo-c200/v3/#Firmware-Release-Notes

https://www.tp-link.com/us/support/faq/4849/

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.