Published:2025/11/10 Last Updated:2025/11/10
JVN#76719218
Multiple vulnerabilities in GNU Libmicrohttpd
Overview
GNU Libmicrohttpd provided by GNU Project contains multiple vulnerabilities.
Products Affected
- GNU libbmicrohttpd v1.0.2 and earlier
libmicrohttpd_ws.so, which is generated when building with the --enable-experimental option, rather than in widely used libmicrohttpd.so.Note that the vulnerability remains in the source code up until commit ff13abc on the master branch of the libmicrohttpd Git repository, after the v1.0.2 tag.
Description
GNU Libmicrohttpd provided by GNU Project contains multiple vulnerabilities listed below.
- NULL pointer dereference (CWE-476)
- CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N Base Score 8.7
- CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Base Score 7.5
- CVE-2025-59777
- Heap-based buffer overflow (CWE-122)
- CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N Base Score 8.7
- CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Base Score 7.5
- CVE-2025-62689
Impact
A specially crafted packet sent by an attacker could cause a denial-of-service (DoS) condition.
Solution
Stop using libmicrohttpd_ws.so
libmicrohttpd_ws.so is an experimental implementation. It is recommended that users stop using this component.
Vendor Status
| Vendor | Link |
| GNU Project | GNU Libmicrohttpd |
| commit ff13abc: remove broken experimental code |
References
JPCERT/CC Addendum
Vulnerability Analysis by JPCERT/CC
Credit
Tatsuhiko Yasumatsu of Mitsui Bussan Secure Directions, Inc. reported these vulnerabilities to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Other Information
| JPCERT Alert |
|
| JPCERT Reports |
|
| CERT Advisory |
|
| CPNI Advisory |
|
| TRnotes |
|
| CVE |
CVE-2025-59777 |
|
CVE-2025-62689 |
|
| JVN iPedia |
JVNDB-2025-000104 |