CVE-2025-65499 – An array index error in OISM libcoap's TLS veri... (How to Fix)

Q: What is the severity of CVE-2025-65499?

CVE-2025-65499 has a CVSS score of 4.3 (MEDIUM). An array index error in OISM libcoap's TLS verification callback allows remote attackers to cause denial of service via a crafted DTLS handshake. This affects systems using libcoap with DTLS enabled. The vulnerability triggers when SSL_get_ex_data_X509_STORE_CTX_idx() returns -1, leading to out-of-bounds memory access.

📋 TL;DR

An array index error in OISM libcoap's TLS verification callback allows remote attackers to cause denial of service via a crafted DTLS handshake. This affects systems using libcoap with DTLS enabled. The vulnerability triggers when SSL_get_ex_data_X509_STORE_CTX_idx() returns -1, leading to out-of-bounds memory access.

💻 Affected Systems

Products:

OISM libcoap

Versions: 4.3.5 and possibly earlier versions

Operating Systems: All platforms where libcoap is compiled with OpenSSL/DTLS support

Default Config Vulnerable: ✅ No

Notes: Only vulnerable when compiled with DTLS support (OpenSSL) and DTLS functionality is enabled.

📦 What is this software?

Libcoap by Libcoap

View all CVEs affecting Libcoap →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote unauthenticated attacker causes service crash or instability through crafted DTLS packets, disrupting CoAP communication.

🟠

Likely Case

Denial of service affecting DTLS-enabled CoAP services, potentially disrupting IoT/embedded device communication.

🟢

If Mitigated

Limited impact with proper network segmentation and DTLS handshake validation in place.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires sending crafted DTLS handshake packets to vulnerable endpoints.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Fixed in libcoap 4.3.6 and later

Vendor Advisory: https://github.com/obgm/libcoap/pull/1750

Restart Required: Yes

Instructions:

1. Update libcoap to version 4.3.6 or later. 2. Recompile applications using libcoap. 3. Restart affected services.

🔧 Temporary Workarounds

Disable DTLS

all

Disable DTLS support in libcoap configuration if not required.

Recompile libcoap with --disable-dtls configure flag

Network filtering

linux

Block DTLS handshake packets from untrusted sources.

iptables -A INPUT -p udp --dport 5684 -j DROP (adjust port as needed)

🧯 If You Can't Patch

Implement network segmentation to isolate CoAP/DTLS traffic
Deploy intrusion prevention systems to detect anomalous DTLS handshakes

🔍 How to Verify

Check if Vulnerable:

Check libcoap version and verify DTLS is enabled: ldd /path/to/coap-app | grep ssl

Check Version:

coap-client --version 2>/dev/null | head -1

Verify Fix Applied:

Verify libcoap version is 4.3.6+ and test DTLS handshake functionality.

📡 Detection & Monitoring

Log Indicators:

Unexpected service crashes
DTLS handshake failures
SSL/TLS error logs

Network Indicators:

Multiple DTLS handshake attempts from single source
Malformed DTLS packets

SIEM Query:

source="coap.log" AND ("crash" OR "segfault" OR "SSL_error")

📊 Metadata

CVE ID: CVE-2025-65499

CVSS v3 Score: 4.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L

CWE: CWE-129

EPSS Score: 0.14% exploit probability (33.9th percentile)

Published: November 24, 2025

Last Updated: December 1, 2025

🔗 References

https://github.com/obgm/libcoap/issues/1747 Issue Tracking
https://github.com/obgm/libcoap/pull/1750 Issue Tracking,Patch

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-65499, you might also want to check these: