Use After Free Vulnerability in Warmcat Libwebsockets WebSocket Server
CVE-2025-11677

6.3MEDIUM

Key Information:

Vendor: Warmcat
Status: Libwebsockets
Vendor: CVE Published:; 20 October 2025

What is CVE-2025-11677?

A Use After Free vulnerability has been identified in the WebSocket server implementation of Warmcat's libwebsockets. This vulnerability may allow an attacker to exploit specific configurations that utilize a user-defined callback function handling LWS_CALLBACK_HTTP_CONFIRM_UPGRADE. If successfully exploited, it could enable an attacker to cause a denial of service, disrupting the service's normal operations.

Affected Version(s)

libwebsockets 4.0 <= 4.4.2

libwebsockets 4.0 <= 4.3.6

References

https://libwebsockets.org/git/libwebsockets/commit?id=2f0...

patchvendor-advisory

https://www.nozominetworks.com/labs/vulnerability-advisor...

third-party-advisory

CVSS V4

Score:

6.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

High

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Oct 20, 2025
Vulnerability Reserved
Oct 13, 2025

Credit

Raffaele Bova at Nozomi Networks

JSON