Overview
CVE-2025-65499 is a critical vulnerability discovered in OISM libcoap version 4.3.5. This array index error resides in the tls_verify_call_back() function within src/coap_openssl.c. This flaw allows remote attackers to potentially trigger a denial-of-service (DoS) condition on affected systems by sending a specially crafted DTLS handshake.
Technical Details
The vulnerability stems from an array index error in the tls_verify_call_back() function. Specifically, the issue occurs when SSL_get_ex_data_X509_STORE_CTX_idx() returns -1. This unexpected return value, when not properly handled, leads to an out-of-bounds access when used as an index. An attacker can exploit this by crafting a malicious DTLS handshake that forces SSL_get_ex_data_X509_STORE_CTX_idx() to return -1, ultimately causing a denial-of-service due to the resulting crash or unexpected behavior.
The specific location of the issue is within src/coap_openssl.c.
CVSS Analysis
The CVSS score for CVE-2025-65499 is currently listed as N/A. However, given the potential for remote denial-of-service, a further assessment and assignment of a CVSS score is highly recommended. A CVSS score will likely place this vulnerability as Medium to High severity depending on the attack complexity and the availability of exploit code.
Possible Impact
Successful exploitation of CVE-2025-65499 can lead to a denial-of-service condition. This means that affected CoAP servers become unresponsive, disrupting services relying on CoAP communication. In IoT deployments or other environments where CoAP is critical, this can have significant consequences.
Mitigation or Patch Steps
The recommended mitigation strategy is to upgrade to a patched version of libcoap that addresses this vulnerability. According to available information, a fix has been proposed in Pull Request #1750. Users should monitor libcoap’s official channels for the release of a patched version containing these fixes. Apply the patch as soon as it becomes available. In the meantime, consider implementing workarounds, such as input validation on DTLS handshake parameters, if possible, although this might be difficult to implement correctly without modifying the library’s source code.
