CVE-2025-65495 – A signedness error in libcoap's TLS certificate... (How to Fix)

Q: What is the severity of CVE-2025-65495?

CVE-2025-65495 has a CVSS score of 7.5 (HIGH). A signedness error in libcoap's TLS certificate verification allows remote attackers to cause denial of service. When i2d_X509() returns -1 due to a malicious certificate, this negative value is incorrectly used as a malloc() size parameter, leading to memory corruption. This affects systems using OISM libcoap 4.3.5 with TLS enabled.

📋 TL;DR

A signedness error in libcoap's TLS certificate verification allows remote attackers to cause denial of service. When i2d_X509() returns -1 due to a malicious certificate, this negative value is incorrectly used as a malloc() size parameter, leading to memory corruption. This affects systems using OISM libcoap 4.3.5 with TLS enabled.

💻 Affected Systems

Products:

OISM libcoap

Versions: 4.3.5

Operating Systems: All platforms where libcoap is compiled with OpenSSL support

Default Config Vulnerable: ⚠️ Yes

Notes: Only vulnerable when TLS/DTLS is enabled and processing certificates from untrusted sources.

📦 What is this software?

Libcoap by Libcoap

View all CVEs affecting Libcoap →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution or complete service crash due to heap corruption from malformed malloc size.

🟠

Likely Case

Denial of service through application crash or memory exhaustion.

🟢

If Mitigated

Limited impact if TLS is disabled or proper input validation is implemented.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires sending a malicious TLS certificate to the vulnerable service.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.3.6 or later

Vendor Advisory: https://github.com/obgm/libcoap/issues/1744

Restart Required: Yes

Instructions:

1. Update libcoap to version 4.3.6 or later. 2. Recompile any applications using libcoap. 3. Restart affected services.

🔧 Temporary Workarounds

Disable TLS/DTLS

all

Disable TLS certificate verification if not required for your use case.

Configure coap-server or client with --disable-tls flag if available

Network filtering

all

Block untrusted certificate sources at network perimeter.

🧯 If You Can't Patch

Implement network segmentation to isolate vulnerable systems
Use reverse proxy with certificate validation before reaching vulnerable service

🔍 How to Verify

Check if Vulnerable:

Check libcoap version: dpkg -l libcoap* or rpm -qa | grep libcoap

Check Version:

coap-server --version 2>&1 | grep -i version

Verify Fix Applied:

Verify version is 4.3.6 or later and check that the patch from PR #1750 is applied.

📡 Detection & Monitoring

Log Indicators:

Application crashes with memory allocation errors
Unexpected termination of coap services

Network Indicators:

Malformed TLS certificates sent to coap ports (typically 5683, 5684)

SIEM Query:

source="coap.log" AND ("malloc" OR "segmentation fault" OR "certificate")

📊 Metadata

CVE ID: CVE-2025-65495

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-195

EPSS Score: 0.12% exploit probability (31.7th percentile)

Published: November 24, 2025

Last Updated: December 1, 2025

🔗 References

https://github.com/obgm/libcoap/issues/1744 Issue Tracking
https://github.com/obgm/libcoap/pull/1750 Issue Tracking,Patch

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-65495, you might also want to check these: