CVE-2025-1866: Undefined Behavior Due to Out-of-Bounds Pointer Arithmetic in libwebsockets

10.0 CVSS

Description

Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in warmcat libwebsockets allows Pointer Manipulation, potentially leading to out-of-bounds memory access. This issue affects libwebsockets before 4.3.4 and is present in code built specifically for the Win32 platform.

By default, the affected code is not executed unless one of the following conditions is met:

LWS_WITHOUT_EXTENSIONS (default ON) is manually set to OFF in CMake.
LWS_WITH_HTTP_STREAM_COMPRESSION (default OFF) is manually set to ON in CMake.
Despite these conditions, when triggered in affected configurations, this vulnerability may allow attackers to manipulate pointers, potentially leading to memory corruption or unexpected behavior.

Classification

CVE ID: CVE-2025-1866

CVSS Base Severity: CRITICAL

CVSS Base Score: 10.0

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Problem Types

CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer

Affected Products

Vendor: warmcat

Product: libwebsockets

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.05% (probability of being exploited)

EPSS Percentile: 13.64% (scored less or equal to compared to others)

EPSS Date: 2025-04-01 (when was this score calculated)

References

https://nvd.nist.gov/vuln/detail/CVE-2025-1866
https://github.com/warmcat/libwebsockets/commit/3f7c79fd57338aca1bf4a1b1f24e324b80d36265

Timeline