CVE-2025-68139

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2025-68139
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-68139.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-68139
Aliases
  • GHSA-wqh4-pj54-6xv9
Published
2026-01-21T19:36:36.127Z
Modified
2026-03-10T14:47:22.726828Z
Severity
  • 4.3 (Medium) CVSS_V3 - CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N CVSS Calculator
Summary
In EVerest, by default, the EV is responsible for closing the connection if the module encounters an error during request processing
Details

EVerest is an EV charging software stack. In all versions up to and including 2025.12.1, the default value for terminate_connection_on_failed_response is False, which leaves the responsibility for session and connection termination to the EV. In this configuration, any errors encountered by the module are logged but do not trigger countermeasures such as session and connection reset or termination. This could be abused by a malicious user in order to exploit other weaknesses or vulnerabilities. While the default will stay at the setting that is described as potentially problematic in this reported issue, a mitigation is available by changing the terminate_connection_on_failed_response setting to true. However this cannot be set to this value by default since it can trigger errors in vehicle ECUs requiring ECU resets and lengthy unavailability in charging for vehicles. The maintainers judge this to be a much more important workaround then short-term unavailability of an EVSE, therefore this setting will stay at the current value.

Database specific 
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/68xxx/CVE-2025-68139.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-384"
    ]
}
References

Affected packages

Git / github.com/everest/everest-core

Affected ranges

Type
GIT
Repo
https://github.com/everest/everest-core
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
391a85aeb2afccebbd503cc246941f12bae56ba8
Database specific 
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "2025.12.1"
        }
    ]
}

Affected versions

2022.*
2022.12.0
2022.12.1
2023.*
2023.1.0
2023.10.0
2023.12.0
2023.2.0
2023.2.1
2023.3.0
2023.5.0
2023.6.0
2023.7.0
2023.8.0
2023.9.0
2023.9.1
2024.*
2024.1.0
2024.10.0
2024.11.0
2024.2.0
2024.3.0-rc1
2024.4.0
2024.5.0
2024.6.0-rc1
2024.6.0-rc2
2024.7.0
2024.7.1
2024.8.0
2024.9.0-rc1
2025.*
2025.1.0-rc1
2025.1.0-rc2
2025.10.0
2025.12.0
2025.12.1
2025.2.0
2025.3.0
2025.4.0-rc1
2025.5.0
2025.6.0
2025.7.0
2025.7.0-rc1
2025.8.0
2025.9.0

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-68139.json"