Stack-based Buffer Overflow in Libwebsockets by Warmcat
CVE-2025-11678

7.5HIGH

Key Information:

Vendor: Warmcat
Status: Libwebsocket
Vendor: CVE Published:; 20 October 2025

What is CVE-2025-11678?

A stack-based buffer overflow vulnerability exists in libwebsockets, specifically in the lws_adns_parse_label function. When the LWS_WITH_SYS_ASYNC_DNS flag is enabled during compilation, it allows an attacker to exploit the DNS request handling. By sniffing a DNS request and crafting a response with a label that exceeds the maximum allowed length, the attacker can overflow the label_stack, leading to potential system instability or unauthorized access.

Affected Version(s)

libwebsocket 4.0 <= 4.4.2

libwebsocket 4.0 <= 4.3.6

References

https://libwebsockets.org/git/libwebsockets/commit?id=2bb...

patchvendor-advisory

https://www.nozominetworks.com/labs/vulnerability-advisor...

third-party-advisory

CVSS V4

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Adjacent Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Oct 20, 2025
Vulnerability Reserved
Oct 13, 2025

Credit

Raffaele Bova at Nozomi Networks

JSON