[Japanese]

JVNDB-2025-000104

Multiple vulnerabilities in GNU Libmicrohttpd

Overview

GNU Libmicrohttpd provided by GNU Project contains multiple vulnerabilities listed below.

  • NULL pointer dereference (CWE-476) - CVE-2025-59777

  • Heap-based buffer overflow (CWE-122) - CVE-2025-62689


Tatsuhiko Yasumatsu of Mitsui Bussan Secure Directions, Inc. reported these vulnerabilities to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVSS Severity (What is CVSS?)

CVSS V3 Severity:
Base Metrics 7.5 (High) [IPA Score]
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High
The above CVSS base scores have been assigned for CVE-2025-59777

CVSS V3 Severity:
Base Metrics:7.5 (High) [IPA Score]
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High
The above CVSS base scores have been assigned for CVE-2025-62689
Affected Products


GNU Project
  • GNU Libmicrohttpd v1.0.2 and earlier

This vulnerability exists in libmicrohttpd_ws.so, which is generated when building with the --enable-experimental option, rather than in widely used libmicrohttpd.so.

Note that the vulnerability remains in the source code up until commit ff13abc on the master branch of the libmicrohttpd Git repository, after the v1.0.2 tag.
Impact

A specially crafted packet sent by an attacker could cause a denial-of-service (DoS) condition.
Solution

[Stop using libmicrohttpd_ws.so]
libmicrohttpd_ws.so is an experimental implementation. It is recommended that users stop using this component.
Vendor Information

GNU Project
CWE (What is CWE?)

  1. Buffer Errors(CWE-119) [IPA Evaluation]
  2. No Mapping(CWE-Other) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2025-59777
  2. CVE-2025-62689
References

  1. JVN : JVN#76719218
Revision History

  • [2025/11/10]
      Web page was published

Date Public2025/11/10
Date First Published2025/11/10
Date Last Updated2025/11/10