Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-65501

CVE-2025-65501: Libcoap DTLS Handshake DoS Vulnerability

CVE-2025-65501 is a null pointer dereference denial of service vulnerability in Libcoap 4.3.5 that allows remote attackers to crash the service through a malformed DTLS handshake. This article covers technical details, affected versions, impact, and mitigation strategies.

Published:

CVE-2025-65501 Overview

CVE-2025-65501 is a null pointer dereference vulnerability in the coap_dtls_info_callback() function of OISM libcoap version 4.3.5. The library implements the Constrained Application Protocol (CoAP) for resource-constrained IoT devices and supports Datagram Transport Layer Security (DTLS) for secure communications. When SSL_get_app_data() returns NULL during a DTLS handshake, the callback dereferences the null pointer and crashes the process. Remote attackers can trigger this condition to cause a denial of service against libcoap-based servers and clients.

Critical Impact

Remote attackers can crash libcoap 4.3.5 processes by initiating a DTLS handshake that causes SSL_get_app_data() to return NULL, disrupting availability of CoAP services on affected IoT and embedded systems.

Affected Products

  • OISM libcoap 4.3.5
  • Applications and firmware embedding libcoap 4.3.5 with DTLS support
  • IoT and embedded devices exposing CoAP-over-DTLS endpoints built on libcoap 4.3.5

Discovery Timeline

  • 2025-11-24 - CVE-2025-65501 published to NVD
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2025-65501

Vulnerability Analysis

The vulnerability resides in coap_dtls_info_callback(), an OpenSSL information callback that libcoap registers to observe DTLS handshake state transitions. The callback retrieves application-specific context from the OpenSSL session using SSL_get_app_data(). libcoap 4.3.5 does not validate the returned pointer before dereferencing it. When the pointer is NULL, the process crashes with a segmentation fault. This defect maps to [CWE-476] Null Pointer Dereference and results in a denial of service on any libcoap component that terminates DTLS locally.

Root Cause

The root cause is missing input validation on the return value of SSL_get_app_data() inside coap_dtls_info_callback(). Under specific handshake sequences the associated application data has not yet been attached to the SSL object, so the accessor returns NULL. The subsequent field access dereferences the null pointer. The upstream fix, discussed in the project's GitHub Issue Discussion and applied in the GitHub Pull Request, adds a null check before use.

Attack Vector

Exploitation requires network access to a DTLS listener that uses libcoap 4.3.5. A remote attacker initiates a DTLS handshake crafted so that the OpenSSL information callback fires before application data is bound to the SSL session. When libcoap invokes SSL_get_app_data(), the callback dereferences NULL and the process terminates. No authentication is required, but user interaction on the target side is noted in the CVSS vector. The vulnerability does not enable code execution, data disclosure, or integrity impact.

No public proof-of-concept exploit or code example is available. See the linked GitHub Issue Discussion for the maintainer analysis and reproduction discussion.

Detection Methods for CVE-2025-65501

Indicators of Compromise

  • Unexpected crashes or segmentation faults in processes linking libcoap-3 or libcoap-2 shared objects at version 4.3.5
  • Core dumps referencing coap_dtls_info_callback in the backtrace with a fault address of 0x0
  • Repeated DTLS ClientHello messages from a single source followed by immediate service termination on UDP port 5684

Detection Strategies

  • Inventory hosts and firmware images for libcoap 4.3.5 using software composition analysis and package managers such as dpkg, rpm, or pkg-config --modversion libcoap-3
  • Monitor process supervisors (systemd, runit, container orchestrators) for abnormal restart loops on CoAP services
  • Enable OpenSSL and libcoap debug logging on canary hosts to capture DTLS handshake states preceding a crash

Monitoring Recommendations

  • Alert on UDP/5684 traffic bursts from single sources followed by connection resets or service unavailability
  • Track kernel SIGSEGV events for CoAP server binaries and forward core dump metadata to a centralized log store
  • Correlate CoAP endpoint availability probes with authentication logs to identify unauthenticated DTLS-triggered outages

How to Mitigate CVE-2025-65501

Immediate Actions Required

  • Upgrade libcoap to a version that includes the fix merged via the GitHub Pull Request and rebuild dependent applications and firmware
  • Restrict network reachability of UDP port 5684 to trusted peers using firewall rules or network segmentation until patches are deployed
  • Enable automatic restart policies on CoAP services to reduce downtime while patch rollout proceeds

Patch Information

The upstream fix is tracked in the libcoap project's GitHub Issue Discussion and delivered through the GitHub Pull Request. The patch adds a null check on the value returned by SSL_get_app_data() inside coap_dtls_info_callback() before dereferencing it. Distribution maintainers and firmware vendors shipping libcoap 4.3.5 should backport the change or move to a fixed release.

Workarounds

  • Disable DTLS support in libcoap builds where transport security is provided at another layer, eliminating the vulnerable code path
  • Front CoAP-over-DTLS endpoints with an intermediary proxy that terminates DTLS using an unaffected stack
  • Apply rate limiting and source allow-lists on UDP/5684 to reduce the ability of unauthenticated attackers to trigger the crash
bash
# Example: block untrusted DTLS traffic to CoAP endpoints until patched
iptables -A INPUT -p udp --dport 5684 -m set ! --match-set coap_allow src -j DROP

# Verify installed libcoap version
pkg-config --modversion libcoap-3

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.