CVE-2025-68138 Overview
CVE-2025-68138 is a memory leak vulnerability in EVerest libocpp, a C++ implementation of the Open Charge Point Protocol (OCPP) used in EV charging software stacks. The vulnerability exists in versions prior to 0.30.1 where pointers returned by strdup calls are never freed. Each connection attempt causes newly allocated memory areas to be leaked, potentially leading to memory exhaustion and denial of service conditions on affected EV charging infrastructure.
Critical Impact
Attackers on the adjacent network can exploit this memory leak to exhaust system memory resources through repeated connection attempts, causing denial of service on EV charging stations running vulnerable EVerest libocpp versions.
Affected Products
- EVerest libocpp versions prior to 0.30.1
- EVerest Core installations using vulnerable libocpp versions
- EV charging infrastructure utilizing the Open Charge Point Protocol implementation
Discovery Timeline
- 2026-01-21 - CVE-2025-68138 published to NVD
- 2026-01-21 - Last updated in NVD database
Technical Details for CVE-2025-68138
Vulnerability Analysis
This vulnerability is classified under CWE-770 (Allocation of Resources Without Limits or Throttling). The flaw resides in the WebSocket implementation within libocpp, specifically in the websocket_libwebsockets.cpp file. When handling connection attempts, the code uses the strdup function to duplicate strings, but fails to subsequently free the allocated memory. This creates a classic memory leak condition that compounds with each new connection attempt.
The attack vector requires adjacent network access, meaning an attacker must be on the same local network segment as the vulnerable EV charging station. However, no privileges or user interaction are required to exploit this vulnerability. The impact extends beyond the vulnerable component itself, potentially affecting other services on the same charging station platform as memory resources become depleted.
Root Cause
The root cause is improper memory management in the C++ codebase. The strdup function allocates new memory on the heap and copies a string into it, returning a pointer to the new allocation. The calling code is responsible for freeing this memory when it's no longer needed. In libocpp prior to version 0.30.1, this cleanup step was missing, causing memory to accumulate indefinitely with each connection attempt to the WebSocket endpoint.
Attack Vector
An attacker positioned on the adjacent network can exploit this vulnerability by initiating repeated connection attempts to the charging station's OCPP WebSocket interface. Each connection attempt triggers the vulnerable strdup call without corresponding memory deallocation. Over time, or through rapid connection flooding, the attacker can exhaust available system memory, causing the charging station software to become unresponsive or crash.
The attack does not require authentication or valid OCPP credentials—simply initiating the connection handshake is sufficient to trigger the memory allocation. This makes the vulnerability particularly concerning for EV charging infrastructure exposed on local networks where an attacker might gain adjacent network access.
Detection Methods for CVE-2025-68138
Indicators of Compromise
- Gradual increase in memory consumption on EV charging station systems over time
- Memory usage spikes correlated with connection attempt activity to OCPP WebSocket endpoints
- System instability or out-of-memory errors on charging infrastructure running libocpp
- Unusual volume of connection attempts from specific adjacent network sources
Detection Strategies
- Monitor system memory utilization trends on charging station platforms running EVerest
- Implement connection rate limiting and logging on OCPP WebSocket endpoints
- Deploy network intrusion detection to identify connection flooding patterns from adjacent network segments
- Use memory profiling tools to detect leak patterns in libocpp processes
Monitoring Recommendations
- Configure alerts for abnormal memory growth on systems running EVerest libocpp
- Log and analyze WebSocket connection attempt patterns for volumetric anomalies
- Establish baseline memory usage metrics for EV charging infrastructure to identify deviations
- Implement network segmentation monitoring to detect unauthorized adjacent network access
How to Mitigate CVE-2025-68138
Immediate Actions Required
- Upgrade EVerest libocpp to version 0.30.1 or later immediately
- Implement network segmentation to restrict adjacent network access to charging station infrastructure
- Apply connection rate limiting on OCPP WebSocket interfaces as a temporary measure
- Monitor memory utilization closely on affected systems until patches are applied
Patch Information
The vulnerability is fixed in EVerest libocpp version 0.30.1. Organizations should update to this version or later to remediate the memory leak. The fix ensures proper deallocation of memory allocated by strdup calls in the WebSocket connection handling code. Detailed information about the fix is available in the GitHub Security Advisory.
Workarounds
- Implement aggressive connection rate limiting at the network layer to slow memory exhaustion
- Configure periodic service restarts during off-peak hours to reclaim leaked memory
- Deploy network access controls to restrict which hosts can initiate OCPP connections
- Monitor and alert on memory thresholds to enable proactive intervention before service degradation
# Configuration example - Network rate limiting for OCPP endpoints
# Limit connection attempts from adjacent network to mitigate DoS risk
iptables -A INPUT -p tcp --dport 9000 -m connlimit --connlimit-above 10 --connlimit-mask 24 -j DROP
# Example cron job for periodic service restart (temporary workaround)
# 0 3 * * * systemctl restart everest-core
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
