CVE-2025-62689 Overview
CVE-2025-62689 is a NULL pointer dereference vulnerability in GNU libmicrohttpd version 1.0.2 and earlier. The flaw [CWE-122] allows a remote attacker to trigger a denial-of-service (DoS) condition by sending a specially crafted HTTP packet to an affected server. Because libmicrohttpd is a small C library used to embed HTTP server functionality inside other applications, any service linking against the vulnerable version is exposed. The issue was fixed in commit ff13abc1c1d7d2b30d69d5c0bd4a237e1801c50b on the master branch of the libmicrohttpd Git repository, after the v1.0.2 tag. No authentication or user interaction is required to exploit the flaw.
Critical Impact
Unauthenticated remote attackers can crash any application embedding libmicrohttpd v1.0.2 or earlier by sending a single crafted HTTP packet over the network.
Affected Products
- GNU libmicrohttpd v1.0.2
- GNU libmicrohttpd versions prior to v1.0.2
- Applications and embedded services linking against vulnerable libmicrohttpd builds
Discovery Timeline
- 2025-11-10 - CVE-2025-62689 published to NVD
- 2025-11-14 - Last updated in NVD database
Technical Details for CVE-2025-62689
Vulnerability Analysis
The vulnerability resides in the HTTP request processing logic of GNU libmicrohttpd, a lightweight embedded HTTP server library maintained by the GNU Project. A specially crafted network packet causes the library to dereference a NULL pointer during request handling. The dereference triggers a segmentation fault inside the host process. Because libmicrohttpd typically runs in-process with the application that embeds it, the crash terminates the entire service rather than an isolated worker. The attack vector is the network, complexity is low, and no privileges or user interaction are required.
Root Cause
The upstream commit ff13abc1c1d7d2b30d69d5c0bd4a237e1801c50b resolves the defect by adding the missing validation that the v1.0.2 release shipped without. Prior to that fix, a code path inside the request parser operated on a pointer that could remain unset when input did not match expected protocol assumptions. When attacker-supplied data drove the parser down that path, the unchecked pointer was dereferenced and the process crashed.
Attack Vector
Exploitation requires only network reachability to a service that embeds vulnerable libmicrohttpd. An attacker sends a crafted HTTP packet to the listening port. The library follows the vulnerable code path, dereferences the NULL pointer, and the process aborts. Repeated requests after restart, or supervisor-driven respawns, can be used to sustain an outage. No memory disclosure, code execution, or integrity impact is reported. The realistic impact is sustained denial of service against any exposed HTTP endpoint backed by libmicrohttpd.
No public proof-of-concept code has been published, and the issue is not currently listed in the CISA Known Exploited Vulnerabilities catalog. See the GNUnet upstream commit and the JVN Security Advisory JVN76719218 for technical details.
Detection Methods for CVE-2025-62689
Indicators of Compromise
- Unexpected SIGSEGV crashes or core dumps from processes linking libmicrohttpd.so
- Service supervisors (systemd, runit, container orchestrators) repeatedly restarting an HTTP daemon after inbound traffic
- HTTP listeners going unresponsive immediately after receiving a single short-lived connection from an external source
Detection Strategies
- Inventory all binaries and containers that statically or dynamically link libmicrohttpd and flag versions at or below 1.0.2
- Correlate crash events in process telemetry with inbound network connections to the affected service port to spot exploitation attempts
- Hunt application logs for abrupt termination markers immediately following malformed or truncated HTTP requests
Monitoring Recommendations
- Forward kernel and application crash logs (coredumpctl, journalctl, container exit codes) to a central log platform for correlation
- Alert on elevated rates of TCP resets or connection aborts from HTTP services that embed libmicrohttpd
- Track restart counts of services using libmicrohttpd and treat sudden spikes as a DoS indicator
How to Mitigate CVE-2025-62689
Immediate Actions Required
- Identify all hosts, containers, and appliances running GNU libmicrohttpd v1.0.2 or earlier and prioritize internet-facing instances
- Apply the upstream fix from commit ff13abc1c1d7d2b30d69d5c0bd4a237e1801c50b or upgrade to a release built from a branch that includes it
- Rebuild and redeploy any first-party software that statically links the vulnerable library
Patch Information
The vulnerability was fixed in commit ff13abc1c1d7d2b30d69d5c0bd4a237e1801c50b on the master branch of the libmicrohttpd Git repository, after the v1.0.2 tag. Distributions and downstream projects should pull this commit or wait for a post-1.0.2 tagged release. Refer to the GNUnet upstream commit and the GNU libmicrohttpd project page for build instructions.
Workarounds
- Restrict network exposure of services embedding libmicrohttpd to trusted networks using firewall rules or security groups
- Place a hardened reverse proxy in front of affected endpoints to filter malformed HTTP requests before they reach the library
- Configure service supervisors to rate-limit restart loops so a successful crash does not amplify into resource exhaustion
# Example: identify packages linking libmicrohttpd and check version
ldconfig -p | grep libmicrohttpd
dpkg -l | grep libmicrohttpd # Debian/Ubuntu
rpm -qa | grep libmicrohttpd # RHEL/Fedora
# Example: restrict exposure of an embedded HTTP service via nftables
nft add rule inet filter input tcp dport 8080 ip saddr != 10.0.0.0/8 drop
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
