The OCPP implementation in libocpp before 0.26.2 allows a denial of service (EVerest crash) via JSON input larger than 255 characters, because a CiString<255> object is created with StringTooLarge set to Throw.
{
"versions": [
{
"introduced": "0"
},
{
"fixed": "0.26.2"
}
]
}[
{
"id": "CVE-2025-59398-041f5ce1",
"target": {
"file": "lib/ocpp/v2/charge_point.cpp"
},
"signature_version": "v1",
"source": "https://github.com/everest/libocpp/commit/fb391b4ff16a0a07150e5a8eebf0856fb6623cbe",
"signature_type": "Line",
"digest": {
"line_hashes": [
"329914649163498463201405919058363773259",
"191782502361572714822329576504077630384",
"226063914280258387762726754857852685240",
"282922994923743629426707999042575520406",
"136402490273983162638423395517940998810",
"336988327875728139135200906983482269130",
"159050727889304491647948875706886107139",
"274997886602663972079959384348766130933"
],
"threshold": 0.9
},
"deprecated": false
},
{
"id": "CVE-2025-59398-5b4b4810",
"target": {
"function": "ChargePoint::message_callback",
"file": "lib/ocpp/v2/charge_point.cpp"
},
"signature_version": "v1",
"source": "https://github.com/everest/libocpp/commit/fb391b4ff16a0a07150e5a8eebf0856fb6623cbe",
"signature_type": "Function",
"digest": {
"function_hash": "85469999211743027846757861404581018417",
"length": 7340.0
},
"deprecated": false
},
{
"id": "CVE-2025-59398-61be6753",
"target": {
"function": "ChargePointImpl::handleResetRequest",
"file": "lib/ocpp/v16/charge_point_impl.cpp"
},
"signature_version": "v1",
"source": "https://github.com/EVerest/libocpp/commit/ec4949cc8d2887c9d19d97b44b9236b8b88a8a7b",
"signature_type": "Function",
"digest": {
"function_hash": "7070882406317729019080362432367989838",
"length": 1358.0
},
"deprecated": false
},
{
"id": "CVE-2025-59398-843a1bd5",
"target": {
"file": "include/ocpp/common/message_queue.hpp"
},
"signature_version": "v1",
"source": "https://github.com/everest/libocpp/commit/fb391b4ff16a0a07150e5a8eebf0856fb6623cbe",
"signature_type": "Line",
"digest": {
"line_hashes": [
"242458449135854739851948518810059249848",
"10575674806477531753861574198813457614",
"196977730058034066642156776201897383258",
"66770497864817877471414621064748994124",
"42650009989781155559769190597484297912",
"336142444310787340366234446267074719041",
"101177556271919559789197140705369459622"
],
"threshold": 0.9
},
"deprecated": false
},
{
"id": "CVE-2025-59398-dd5a8d8d",
"target": {
"file": "lib/ocpp/v16/charge_point_impl.cpp"
},
"signature_version": "v1",
"source": "https://github.com/EVerest/libocpp/commit/ec4949cc8d2887c9d19d97b44b9236b8b88a8a7b",
"signature_type": "Line",
"digest": {
"line_hashes": [
"144145004473872556552143305028902613851",
"35699249817163172743542849699616494166",
"53334171588760620306534512594036637971",
"135644134620645549806839062470264463781",
"240522512309630831697827857464120036961",
"308993836890266374978904906784019307354",
"162790871845912678158843320662248851176",
"208458563293752178943462957903839898449",
"276802959634391546605903458622506748095",
"78121856753964299456430525400299748860"
],
"threshold": 0.9
},
"deprecated": false
}
]
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-59398.json"
"2026-04-12T18:47:04Z"