CVE-2025-62689

NULL pointer dereference vulnerability exists in GNU libmicrohttpd v1.0.2 and earlier. The vulnerability was fixed in commit ff13abc on the master branch of the libmicrohttpd Git repository, after the v1.0.2 tag. A specially crafted packet sent by an attacker could cause a denial-of-service (DoS) condition.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

Vector : AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://git.gnunet.org/libmicrohttpd.git/commit/?id=ff13abc1c1d7d2b30d69d5c0bd4a237e1801c50b	Patch
https://jvn.jp/en/jp/JVN76719218/	Third Party Advisory
https://www.gnu.org/software/libmicrohttpd/	Product

Configurations

Configuration 1 (hide)

cpe:2.3:a:gnu:libmicrohttpd:*:*:*:*:*:*:*:*

History

14 Nov 2025, 18:05

Type	Values Removed	Values Added
References	~~() https://git.gnunet.org/libmicrohttpd.git/commit/?id=ff13abc1c1d7d2b30d69d5c0bd4a237e1801c50b -~~	() https://git.gnunet.org/libmicrohttpd.git/commit/?id=ff13abc1c1d7d2b30d69d5c0bd4a237e1801c50b - Patch
References	~~() https://jvn.jp/en/jp/JVN76719218/ -~~	() https://jvn.jp/en/jp/JVN76719218/ - Third Party Advisory
References	~~() https://www.gnu.org/software/libmicrohttpd/ -~~	() https://www.gnu.org/software/libmicrohttpd/ - Product
First Time		Gnu Gnu libmicrohttpd
CPE		cpe:2.3:a:gnu:libmicrohttpd::::::::

10 Nov 2025, 05:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-11-10 05:15

Updated : 2025-11-14 18:05

NVD link : CVE-2025-62689

Mitre link : CVE-2025-62689

CVE.ORG link : CVE-2025-62689

JSON object : View

Products Affected

gnu

libmicrohttpd

CWE

CWE-122

Heap-based Buffer Overflow

{"id": "CVE-2025-62689", "cveTags": [], "metrics": {"cvssMetricV30": [{"type": "Secondary", "source": "vultures@jpcert.or.jp", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 3.9}], "cvssMetricV40": [{"type": "Secondary", "source": "vultures@jpcert.or.jp", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 8.7, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2025-11-10T05:15:49.087", "references": [{"url": "https://git.gnunet.org/libmicrohttpd.git/commit/?id=ff13abc1c1d7d2b30d69d5c0bd4a237e1801c50b", "tags": ["Patch"], "source": "vultures@jpcert.or.jp"}, {"url": "https://jvn.jp/en/jp/JVN76719218/", "tags": ["Third Party Advisory"], "source": "vultures@jpcert.or.jp"}, {"url": "https://www.gnu.org/software/libmicrohttpd/", "tags": ["Product"], "source": "vultures@jpcert.or.jp"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "vultures@jpcert.or.jp", "description": [{"lang": "en", "value": "CWE-122"}]}], "descriptions": [{"lang": "en", "value": "NULL pointer dereference vulnerability exists in GNU libmicrohttpd v1.0.2 and earlier. The vulnerability was fixed in commit ff13abc on the master branch of the libmicrohttpd Git repository, after the v1.0.2 tag. A specially crafted packet sent by an attacker could cause a denial-of-service (DoS) condition."}], "lastModified": "2025-11-14T18:05:06.277", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:gnu:libmicrohttpd:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "71349595-7325-41D9-B13D-D5C04F7F0679", "versionEndExcluding": "2025-09-16"}], "operator": "OR"}]}], "sourceIdentifier": "vultures@jpcert.or.jp"}