CVE-2025-11680 is an out-of-bounds write vulnerability classified under CWE-787 found in the warmcat libwebsockets library, specifically in version 4.0. The flaw exists in the unfilter_scanline function when the library is compiled with the LWS_WITH_UPNG flag enabled and the HTML display stack is utilized. The vulnerability arises due to an integer overflow caused by a crafted PNG image with a large width value. This overflow affects the calculation of the heap allocation size, leading to a buffer overflow where data is written past the allocated heap buffer. The exploitation vector requires a victim to visit an attacker-controlled website hosting the malicious PNG file. The consequence of this vulnerability can be a denial of service (application crash) or potentially memory corruption that could be leveraged for further attacks, although no public exploits are known at this time. The CVSS 4.0 score is 5.9, reflecting a medium severity with network attack vector, high attack complexity, partial user interaction, and no privileges required. The vulnerability impacts applications embedding libwebsockets 4.0 with the specified configuration, commonly used for websocket communication and HTML display in embedded or IoT devices. The lack of patches or mitigations currently available increases the urgency for affected users to implement workarounds or monitor for updates.

For European organizations, the impact of CVE-2025-11680 depends on their use of libwebsockets 4.0 with the LWS_WITH_UPNG flag enabled and the HTML display stack. Organizations running web-facing applications or embedded devices that process PNG images via libwebsockets are at risk of service disruption due to crashes. This can affect availability of critical services, especially in sectors relying on embedded systems such as industrial control, telecommunications, or IoT deployments prevalent in Europe. While no known exploits exist yet, the vulnerability could be weaponized to cause denial of service or potentially enable remote code execution if combined with other flaws. This poses a risk to confidentiality and integrity if exploited in complex attack chains. The medium severity score indicates moderate risk, but the network vector and no privilege requirement mean attackers can attempt exploitation remotely, increasing the threat surface. European organizations with critical infrastructure or sensitive data processed through affected systems should consider this vulnerability a priority for risk assessment and mitigation.

1. Immediately audit all deployments of libwebsockets version 4.0 to identify usage of the LWS_WITH_UPNG flag and HTML display stack. 2. If possible, disable the LWS_WITH_UPNG flag or avoid using the HTML display stack until a patch is available. 3. Implement strict input validation and filtering on PNG files processed by libwebsockets to detect and block images with suspiciously large width values. 4. Employ network-level protections such as web application firewalls (WAFs) to detect and block malicious PNG payloads from untrusted sources. 5. Monitor vendor announcements and subscribe to security advisories for updates or patches addressing this vulnerability. 6. Consider isolating or sandboxing applications using libwebsockets to limit the impact of potential crashes or memory corruption. 7. Conduct penetration testing and fuzzing on affected systems to identify if the vulnerability can be exploited in the specific environment. 8. Prepare incident response plans to quickly address potential exploitation attempts. 9. Engage with vendors or open-source maintainers to accelerate patch development and deployment.