CVE-2025-11678 is a stack-based buffer overflow vulnerability identified in the warmcat libwebsockets library, version 4.0, specifically within the lws_adns_parse_label function. This function is responsible for parsing DNS labels when the library is compiled with the LWS_WITH_SYS_ASYNC_DNS flag enabled, which enables asynchronous DNS resolution. The vulnerability arises because the label_stack buffer can be overflowed if an attacker crafts a DNS response containing a label longer than the maximum expected length. To exploit this, an attacker must be capable of sniffing DNS requests to obtain the matching DNS transaction ID, then respond with a maliciously crafted DNS packet that triggers the overflow. The overflow can corrupt the stack, potentially allowing an attacker to execute arbitrary code or cause a denial of service by crashing the application. The CVSS 4.0 score of 7.5 reflects a high severity, with attack vector being adjacent (local network), low attack complexity, no privileges required, but user interaction needed. The vulnerability impacts confidentiality, integrity, and availability with high impact. No known public exploits exist yet, but the vulnerability is published and should be treated seriously. The lack of available patches at the time of publication necessitates immediate mitigation steps. This vulnerability is particularly relevant for applications relying on libwebsockets for network communication, especially those using asynchronous DNS resolution in environments where DNS traffic can be intercepted or manipulated.

For European organizations, the impact of CVE-2025-11678 can be significant, especially for those deploying libwebsockets in critical infrastructure, IoT devices, or embedded systems that rely on asynchronous DNS resolution. Successful exploitation could lead to remote code execution, allowing attackers to gain control over affected systems, exfiltrate sensitive data, or disrupt services. This is particularly concerning for sectors such as telecommunications, manufacturing, and critical infrastructure, where libwebsockets might be embedded in networked devices. The requirement for DNS traffic sniffing limits exploitation to attackers with network access or the ability to perform man-in-the-middle attacks, which could be feasible in poorly segmented or unsecured networks. The vulnerability threatens confidentiality, integrity, and availability, potentially causing operational disruptions and data breaches. Given the widespread use of libwebsockets in various applications, the scope of affected systems could be broad, impacting both enterprise and industrial environments across Europe.

1. Disable the LWS_WITH_SYS_ASYNC_DNS flag during compilation if asynchronous DNS resolution is not essential for your application to eliminate the vulnerable code path. 2. Monitor network traffic for unusual DNS responses, especially those with abnormally long labels or unexpected transaction IDs, to detect potential exploitation attempts. 3. Implement network segmentation and DNS traffic encryption (e.g., DNS over TLS or DNS over HTTPS) to reduce the risk of DNS traffic sniffing and manipulation. 4. Apply patches or updates from the libwebsockets project as soon as they become available to address this vulnerability directly. 5. Conduct thorough code audits and penetration testing on applications using libwebsockets to identify and remediate any related vulnerabilities. 6. Employ runtime protections such as stack canaries, address space layout randomization (ASLR), and control flow integrity (CFI) to mitigate exploitation impact. 7. Educate development and security teams about the risks of enabling asynchronous DNS features without proper safeguards.