CVE-2025-59398
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-09-15

Last updated on: 2025-09-16

Assigner: MITRE

Description
The OCPP implementation in libocpp before 0.26.2 allows a denial of service (EVerest crash) via JSON input larger than 255 characters, because a CiString<255> object is created with StringTooLarge set to Throw.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-09-15
Last Modified
2025-09-16
Generated
2026-06-16
AI Q&A
2025-09-15
EPSS Evaluated
2026-06-15
NVD
CVE-2025-59398
EUVD
EUVD-2025-29233
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
everest libocpp 0.26.2
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-392 The product encounters an error but does not provide a status code or return value to indicate that an error has occurred.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability occurs in the OCPP implementation of the libocpp library before version 0.26.2. When the system processes JSON input larger than 255 characters, it tries to create a CiString<255> object which has a maximum allowed length of 255 characters. Because the StringTooLarge policy is set to Throw, exceeding this limit causes a runtime exception that crashes the EVerest system. This crash leads to a denial of service (DoS) by making the system unavailable when it receives oversized or malformed JSON messages. [1]

Impact Analysis

The vulnerability can cause the EVerest system to crash completely when it receives JSON messages larger than 255 characters. This results in a denial of service (DoS), making the electric vehicle infrastructure software unavailable and potentially disrupting charging operations or other related services that depend on this system. [1]

Detection Guidance

This vulnerability can be detected by monitoring for unusually large JSON messages exceeding 255 characters sent to the OCPP 2.0.1 message receiver module, which may cause the system to throw exceptions or crash. Detection can involve capturing and analyzing network traffic for oversized JSON payloads targeting the EVerest system. Additionally, logs should be checked for error messages related to malformed RPC messages, StringConversionException, or CALLERROR responses with error codes like "RpcFrameworkError" or "FormationViolation". Specific commands are not provided in the resources, but using network packet capture tools (e.g., tcpdump or Wireshark) to filter for large JSON messages sent to the OCPP endpoint and reviewing application logs for the mentioned error patterns would be effective. [1, 2, 4]

Mitigation Strategies

Immediate mitigation steps include updating the libocpp library to version 0.26.2 or later, which contains fixes that improve handling and reporting of invalid or oversized JSON messages, preventing crashes. The update adds exception handling for malformed RPC messages and string conversion errors, responds with appropriate CALLERROR messages, and logs security events for invalid messages. Until the update is applied, monitoring and filtering incoming JSON messages to block or reject those larger than 255 characters can help reduce the risk of denial of service. [2, 4]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-59398. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart