CVE-2025-65498: Libcoap DTLS Handshake Vulnerability Leads to Denial of Service

Overview

CVE-2025-65498 describes a NULL pointer dereference vulnerability found in OISM libcoap version 4.3.5. This vulnerability resides in the coap_dtls_generate_cookie() function within src/coap_openssl.c. Remote attackers can exploit this flaw to trigger a denial-of-service (DoS) condition by sending a specially crafted DTLS handshake. This handshake causes SSL_get_SSL_CTX() to return NULL, leading to a crash when the code attempts to dereference this NULL pointer.

Technical Details

The vulnerability occurs because the coap_dtls_generate_cookie() function does not adequately check for a NULL return value from the SSL_get_SSL_CTX() function before attempting to use the returned pointer. Specifically, a crafted DTLS handshake can be constructed in a way that forces SSL_get_SSL_CTX() to return NULL under certain conditions related to the TLS/DTLS session setup. The subsequent dereference of this NULL pointer results in a program crash, effectively denying service to legitimate users.

CVSS Analysis

Currently, a CVSS score has not been assigned to CVE-2025-65498. However, given that the vulnerability leads to a denial-of-service, it would likely receive a CVSS score in the Medium to High range, depending on the ease of exploitation and the potential impact on system availability. The actual CVSS score will depend on the specific environmental and temporal factors considered.

Possible Impact

Successful exploitation of CVE-2025-65498 can lead to:

• Denial of Service (DoS): The primary impact is a denial of service. An attacker can repeatedly send malicious DTLS handshakes to crash the libcoap-based application, rendering it unavailable to legitimate users.
• Service Interruption: Services relying on libcoap for DTLS communication will experience interruptions.

Mitigation and Patch Steps

The recommended mitigation is to upgrade to a patched version of libcoap that addresses this vulnerability. The following steps can be taken:

1. Upgrade libcoap: Upgrade to the latest version of libcoap that includes the fix for issue #1746. The pull request PR #1750 on the libcoap GitHub repository contains the necessary fix.
2. Apply the Patch: If upgrading is not immediately possible, apply the patch from PR #1750 manually to your current libcoap installation. This patch includes a check for a NULL return value from SSL_get_SSL_CTX().
3. Implement Workarounds (if necessary): If neither upgrading nor patching is immediately feasible, consider implementing temporary workarounds such as rate limiting or input validation to mitigate the risk of exploitation, though these are not ideal solutions.