CVE-2025-59398
BaseFortify
Publication date: 2025-09-15
Last updated on: 2025-09-16
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| everest | libocpp | 0.26.2 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-392 | The product encounters an error but does not provide a status code or return value to indicate that an error has occurred. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability occurs in the OCPP implementation of the libocpp library before version 0.26.2. When the system processes JSON input larger than 255 characters, it tries to create a CiString<255> object which has a maximum allowed length of 255 characters. Because the StringTooLarge policy is set to Throw, exceeding this limit causes a runtime exception that crashes the EVerest system. This crash leads to a denial of service (DoS) by making the system unavailable when it receives oversized or malformed JSON messages. [1]
How can this vulnerability impact me? :
The vulnerability can cause the EVerest system to crash completely when it receives JSON messages larger than 255 characters. This results in a denial of service (DoS), making the electric vehicle infrastructure software unavailable and potentially disrupting charging operations or other related services that depend on this system. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for unusually large JSON messages exceeding 255 characters sent to the OCPP 2.0.1 message receiver module, which may cause the system to throw exceptions or crash. Detection can involve capturing and analyzing network traffic for oversized JSON payloads targeting the EVerest system. Additionally, logs should be checked for error messages related to malformed RPC messages, StringConversionException, or CALLERROR responses with error codes like "RpcFrameworkError" or "FormationViolation". Specific commands are not provided in the resources, but using network packet capture tools (e.g., tcpdump or Wireshark) to filter for large JSON messages sent to the OCPP endpoint and reviewing application logs for the mentioned error patterns would be effective. [1, 2, 4]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include updating the libocpp library to version 0.26.2 or later, which contains fixes that improve handling and reporting of invalid or oversized JSON messages, preventing crashes. The update adds exception handling for malformed RPC messages and string conversion errors, responds with appropriate CALLERROR messages, and logs security events for invalid messages. Until the update is applied, monitoring and filtering incoming JSON messages to block or reject those larger than 255 characters can help reduce the risk of denial of service. [2, 4]