Use of Out-of-range Pointer Offset Affecting warmcat/libwebsockets package, versions [,4.3.4)

Q: How to fix?

Upgrade warmcat/libwebsockets to version 4.3.4 or higher.

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk IDSNYK-UNMANAGED-WARMCATLIBWEBSOCKETS-9056210
published4 Mar 2025
disclosed3 Mar 2025
creditTrail of Bits, TrustInSoft

Report a new vulnerability Found a mistake?

Introduced: 3 Mar 2025

NewCVE-2025-1866 (opens in a new tab) CWE-823 (opens in a new tab)

How to fix?

Upgrade warmcat/libwebsockets to version 4.3.4 or higher.

Overview

Affected versions of this package are vulnerable to Use of Out-of-range Pointer Offset due to improper handling of pointer arithmetic operations in inftrees.c. An attacker can cause undefined behavior if LWS_WITHOUT_EXTENSIONS is set to OFF in CMake (non-default setting) and LWS_WITH_HTTP_STREAM_COMPRESSION is set to ON in CMake (non-default setting).

Note: This vulnerability only affects applications built on a Win32 system.

References

GitHub Commit

CVSS Base Scores

version 4.0

version 3.1

Attack Vector (AV)
Network
Attack Complexity (AC)
Low
Attack Requirements (AT)
Present
Privileges Required (PR)
None
User Interaction (UI)
None

Confidentiality (VC)
None
Integrity (VI)
High
Availability (VA)
None

Confidentiality (SC)
None
Integrity (SI)
None
Availability (SA)
None