CRITICAL🇵🇱 Wersja polska

CVE-2025-1866

CVSS 10.0v4.0pub. 2025-03-03upd. 2026-04-15

Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in warmcat libwebsockets allows Pointer Manipulation, potentially leading to out-of-bounds memory access. This issue affects libwebsockets before 4.3.4 and is present in code built specifically for the Win32 platform. By default, the affected code is not executed unless one of the following conditions is met: LWS_WITHOUT_EXTENSIONS (default ON) is manually set to OFF in CMake. LWS_WITH_HTTP_STREAM_COMPRESSION (default OFF) is manually set to ON in CMake. Despite these conditions, when triggered in affected configurations, this vulnerability may allow attackers to manipulate pointers, potentially leading to memory corruption or unexpected behavior.

🤖 AI Analysis
How it works

The error consists of a lack of proper control of operations performed within memory buffer boundaries, which allows an attacker to manipulate pointers and access memory areas beyond permitted limits (out-of-bounds memory access). The vulnerable code is present only in Win32 platform compilations and is not executed by default. It becomes active when the LWS_WITHOUT_EXTENSIONS parameter in the CMake configuration is manually set to OFF or LWS_WITH_HTTP_STREAM_COMPRESSION to ON — these are non-default values.

Impact

In vulnerable configurations, an attacker can cause memory corruption in the process or trigger uncontrolled behavior of an application using the library, which may consequently enable remote code execution (RCE) or service destabilization.

Mitigation & patch

Update libwebsockets to version 4.3.4 or later. Available patch: commit 3f7c79fd57338aca1bf4a1b1f24e324b80d36265 in the warmcat/libwebsockets GitHub repository. If an immediate update is not possible, ensure that in the CMake configuration the LWS_WITHOUT_EXTENSIONS parameter remains set to ON (default value) and LWS_WITH_HTTP_STREAM_COMPRESSION to OFF (default value).

Who is affected

libwebsockets versions before 4.3.4, compiled for the Win32 platform with non-default options: LWS_WITHOUT_EXTENSIONS=OFF or LWS_WITH_HTTP_STREAM_COMPRESSION=ON

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
Memory
CWE
References