CVE-2025-59398

Description

The OCPP implementation in libocpp before 0.26.2 allows a denial of service (EVerest crash) via JSON input larger than 255 characters, because a CiString<255> object is created with StringTooLarge set to Throw.

CVSS v3.1 Score

3.1

LOW

CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L

Weakness Type (CWE)

CWE-392 CWE-392

References

Other References

https://github.com/EVerest/everest-core/commit/253432ae7458ad0445f68f9d716086090c2be49c https://github.com/EVerest/everest-core/issues/1152 https://github.com/EVerest/libocpp/commit/fb391b4ff16a0a07150e5a8eebf0856fb6623cbe https://github.com/EVerest/libocpp/compare/v0.26.1...v0.26.2 https://github.com/EVerest/libocpp/pull/1052

Frequently Asked Questions

What is CVE-2025-59398? +

The OCPP implementation in libocpp before 0.26.2 allows a denial of service (EVerest crash) via JSON input larger than 255 characters, because a CiString<255> object is created with StringTooLarge set to Throw. It has a CVSS v3.1 base score of 3.1 (LOW).

How severe is CVE-2025-59398? +

CVE-2025-59398 has a CVSS v3.1 score of 3.1 out of 10, rated LOW. This is a low-severity vulnerability with limited impact.

How do I check if I'm vulnerable to CVE-2025-59398? +

You can use Secably's free Website Scanner to check your website for known vulnerabilities. For infrastructure scanning, use the Port Scanner to identify exposed services that may be affected. Check the vendor advisories linked above for specific patch and version information.

Related Vulnerabilities

CVE-2026-42246

Net::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby. Prior to versions 0.3.10, 0.4.24, 0.5.14, and 0.6.4, a …

CVE-2025-32743 9.0

In ConnMan through 1.44, the lookup string in ns_resolv in dnsproxy.c can be NULL or an empty string when the …

CVE-2024-39697 8.6

phonenumber is a library for parsing, formatting and validating international phone numbers. Since 0.3.4, the phonenumber parsing code may panic …

CVE-2025-23270 7.1

NVIDIA Jetson Linux contains a vulnerability in UEFI Management mode, where an unprivileged local attacker may cause exposure of sensitive …

CVE-2024-12797 6.3

Issue summary: Clients using RFC7250 Raw Public Keys (RPKs) to authenticate a server may fail to notice that the server …

CVE-2025-26268 3.3

DragonflyDB Dragonfly before 1.27.0 allows authenticated users to cause a denial of service (daemon crash) via a crafted Redis command. …