CVE-2025-68138

{"id": "CVE-2025-68138", "cveTags": [], "metrics": {"ssvcV203": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "ssvcData": {"id": "CVE-2025-68138", "role": "CISA Coordinator", "options": [{"exploitation": "none"}, {"automatable": "no"}, {"technicalImpact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-22T21:56:15.275981Z"}}], "cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 4.7, "attackVector": "ADJACENT_NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 2.8}]}, "affected": [{"source": "security-advisories@github.com", "affectedData": [{"vendor": "EVerest", "product": "everest-core", "versions": [{"status": "affected", "version": "libocpp < 0.30.1"}]}]}], "published": "2026-01-21T20:16:06.007", "references": [{"url": "https://github.com/EVerest/everest-core/security/advisories/GHSA-f8c2-44c3-7v55", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/EVerest/libocpp/blob/89c7b62ec899db637f43b54f19af2c4af30cfa66/lib/ocpp/common/websocket/websocket_libwebsockets.cpp", "tags": ["Product"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-770"}]}], "descriptions": [{"lang": "en", "value": "EVerest is an EV charging software stack, and EVerest libocpp is a C++ implementation of the Open Charge Point Protocol. In libocpp prior to version 0.30.1, pointers returned by the `strdup` calls are never freed. At each connection attempt, the newly allocated memory area will be leaked, potentially causing memory exhaustion and denial of service. Version 0.30.1 fixes the issue."}, {"lang": "es", "value": "EVerest es una pila de software de carga de VE, y EVerest libocpp es una implementaci\u00f3n en C++ del Protocolo de Punto de Carga Abierto. En libocpp, anterior a la versi\u00f3n 0.30.1, los punteros devueltos por las llamadas a `strdup` nunca se liberan. En cada intento de conexi\u00f3n, el \u00e1rea de memoria reci\u00e9n asignada se filtrar\u00e1, lo que podr\u00eda causar agotamiento de la memoria y denegaci\u00f3n de servicio. La versi\u00f3n 0.30.1 corrige el problema."}], "lastModified": "2026-06-17T09:58:35.043", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:linuxfoundation:libocpp:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B5538681-05FD-4070-94F2-BAA9E6CDC81B", "versionEndExcluding": "0.30.1"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}