CVE-2025-65501 Overview
CVE-2025-65501 is a null pointer dereference vulnerability in the coap_dtls_info_callback() function of OISM libcoap version 4.3.5. The library implements the Constrained Application Protocol (CoAP) for resource-constrained IoT devices and supports Datagram Transport Layer Security (DTLS) for secure communications. When SSL_get_app_data() returns NULL during a DTLS handshake, the callback dereferences the null pointer and crashes the process. Remote attackers can trigger this condition to cause a denial of service against libcoap-based servers and clients.
Critical Impact
Remote attackers can crash libcoap 4.3.5 processes by initiating a DTLS handshake that causes SSL_get_app_data() to return NULL, disrupting availability of CoAP services on affected IoT and embedded systems.
Affected Products
- OISM libcoap 4.3.5
- Applications and firmware embedding libcoap 4.3.5 with DTLS support
- IoT and embedded devices exposing CoAP-over-DTLS endpoints built on libcoap 4.3.5
Discovery Timeline
- 2025-11-24 - CVE-2025-65501 published to NVD
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2025-65501
Vulnerability Analysis
The vulnerability resides in coap_dtls_info_callback(), an OpenSSL information callback that libcoap registers to observe DTLS handshake state transitions. The callback retrieves application-specific context from the OpenSSL session using SSL_get_app_data(). libcoap 4.3.5 does not validate the returned pointer before dereferencing it. When the pointer is NULL, the process crashes with a segmentation fault. This defect maps to [CWE-476] Null Pointer Dereference and results in a denial of service on any libcoap component that terminates DTLS locally.
Root Cause
The root cause is missing input validation on the return value of SSL_get_app_data() inside coap_dtls_info_callback(). Under specific handshake sequences the associated application data has not yet been attached to the SSL object, so the accessor returns NULL. The subsequent field access dereferences the null pointer. The upstream fix, discussed in the project's GitHub Issue Discussion and applied in the GitHub Pull Request, adds a null check before use.
Attack Vector
Exploitation requires network access to a DTLS listener that uses libcoap 4.3.5. A remote attacker initiates a DTLS handshake crafted so that the OpenSSL information callback fires before application data is bound to the SSL session. When libcoap invokes SSL_get_app_data(), the callback dereferences NULL and the process terminates. No authentication is required, but user interaction on the target side is noted in the CVSS vector. The vulnerability does not enable code execution, data disclosure, or integrity impact.
No public proof-of-concept exploit or code example is available. See the linked GitHub Issue Discussion for the maintainer analysis and reproduction discussion.
Detection Methods for CVE-2025-65501
Indicators of Compromise
- Unexpected crashes or segmentation faults in processes linking libcoap-3 or libcoap-2 shared objects at version 4.3.5
- Core dumps referencing coap_dtls_info_callback in the backtrace with a fault address of 0x0
- Repeated DTLS ClientHello messages from a single source followed by immediate service termination on UDP port 5684
Detection Strategies
- Inventory hosts and firmware images for libcoap 4.3.5 using software composition analysis and package managers such as dpkg, rpm, or pkg-config --modversion libcoap-3
- Monitor process supervisors (systemd, runit, container orchestrators) for abnormal restart loops on CoAP services
- Enable OpenSSL and libcoap debug logging on canary hosts to capture DTLS handshake states preceding a crash
Monitoring Recommendations
- Alert on UDP/5684 traffic bursts from single sources followed by connection resets or service unavailability
- Track kernel SIGSEGV events for CoAP server binaries and forward core dump metadata to a centralized log store
- Correlate CoAP endpoint availability probes with authentication logs to identify unauthenticated DTLS-triggered outages
How to Mitigate CVE-2025-65501
Immediate Actions Required
- Upgrade libcoap to a version that includes the fix merged via the GitHub Pull Request and rebuild dependent applications and firmware
- Restrict network reachability of UDP port 5684 to trusted peers using firewall rules or network segmentation until patches are deployed
- Enable automatic restart policies on CoAP services to reduce downtime while patch rollout proceeds
Patch Information
The upstream fix is tracked in the libcoap project's GitHub Issue Discussion and delivered through the GitHub Pull Request. The patch adds a null check on the value returned by SSL_get_app_data() inside coap_dtls_info_callback() before dereferencing it. Distribution maintainers and firmware vendors shipping libcoap 4.3.5 should backport the change or move to a fixed release.
Workarounds
- Disable DTLS support in libcoap builds where transport security is provided at another layer, eliminating the vulnerable code path
- Front CoAP-over-DTLS endpoints with an intermediary proxy that terminates DTLS using an unaffected stack
- Apply rate limiting and source allow-lists on UDP/5684 to reduce the ability of unauthenticated attackers to trigger the crash
# Example: block untrusted DTLS traffic to CoAP endpoints until patched
iptables -A INPUT -p udp --dport 5684 -m set ! --match-set coap_allow src -j DROP
# Verify installed libcoap version
pkg-config --modversion libcoap-3
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

