CVE-2025-11679
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-10-20

Last updated on: 2025-10-21

Assigner: Nozomi Networks Inc.

Description
Out-of-bounds Read in lws_upng_emit_next_line in warmcat libwebsockets allows, when the LWS_WITH_UPNG flag is enabled during compilation and the HTML display stack is used, to read past a heap allocated buffer possibly causing a crash, when the user visits an attacker controlled website that contains a crafted PNG file with a big height dimension.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-10-20
Last Modified
2025-10-21
Generated
2026-05-07
AI Q&A
2025-10-20
EPSS Evaluated
2026-05-05
NVD
CVE-2025-11679
EUVD
EUVD-2025-35056
Affected Vendors & Products
Showing 5 associated CPEs
Vendor Product Version / Range
warmcat libwebsockets 4.4.2
warmcat libwebsockets 4.1
warmcat libwebsockets 4.3.6
warmcat libwebsockets 4.2
warmcat libwebsockets 4.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-125 The product reads data past the end, or before the beginning, of the intended buffer.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability is an out-of-bounds read in the UPNG (micro PNG decoder) library used by warmcat libwebsockets. Specifically, in the function lws_upng_emit_next_line, improper indexing of the input buffer allows reading past the allocated memory. This happens when the LWS_WITH_UPNG flag is enabled and the HTML display stack is used, triggered by visiting an attacker-controlled website containing a crafted PNG file with a large height dimension. The issue arises because the code calculates an index without proper bounds checking, potentially causing a crash or other unintended behavior. [1]


How can this vulnerability impact me? :

This vulnerability can cause a crash of the application using libwebsockets when processing a malicious PNG file, potentially leading to denial of service. Since it involves reading memory out of bounds, it might also expose sensitive information or lead to undefined behavior, depending on the context and exploitation, although the primary impact described is a crash. [1]


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by monitoring for crashes or abnormal behavior in applications using libwebsockets with the LWS_WITH_UPNG flag enabled when processing PNG files. Since the issue occurs when visiting attacker-controlled websites with crafted PNG files, network detection could involve inspecting PNG files for unusually large height dimensions or malformed PNGs. However, no specific detection commands or signatures are provided in the available resources. [1]


What immediate steps should I take to mitigate this vulnerability?

Immediate mitigation steps include applying the patch that fixes the out-of-bounds read by adding bounds checking with a modulo operation on the input buffer index in the function `lws_upng_emit_next_line` in `lib/misc/upng.c`. Alternatively, disabling the LWS_WITH_UPNG flag during compilation or avoiding the use of the HTML display stack that processes PNG files can reduce exposure. Also, avoid visiting untrusted websites that may host crafted PNG files until patched. [1]


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart