CVE-2025-59391 identifies a memory disclosure vulnerability in the libcoap library, specifically within the OSCORE configuration parser component. libcoap is a widely used open-source implementation of the Constrained Application Protocol (CoAP), which is designed for resource-constrained devices and IoT environments. The vulnerability arises due to an out-of-bounds read condition triggered when the parser processes certain malformed or crafted configuration values. This out-of-bounds read occurs in the .rodata section of memory, which typically contains read-only data such as string literals and configuration constants. By exploiting this flaw, an attacker can infer or directly read memory contents beyond the intended boundaries, potentially leaking sensitive information such as cryptographic keys, configuration secrets, or other critical data stored in memory. Additionally, the flaw can cause the application to crash, resulting in a denial of service. The vulnerability does not require prior authentication, as it can be triggered by supplying malicious configuration data to the parser. However, exploitation requires the attacker to have the ability to influence or provide configuration inputs to the vulnerable libcoap instance. Currently, no public exploits or active exploitation campaigns have been reported. The issue affects libcoap versions before release-4.3.5-patches, and users are advised to upgrade to patched versions once available. Given libcoap's role in IoT and constrained device communications, this vulnerability poses a risk to systems relying on secure CoAP messaging via OSCORE, especially in environments where confidentiality and availability are critical.

For European organizations, the impact of CVE-2025-59391 can be significant, particularly for those deploying IoT devices, smart city infrastructure, industrial control systems, or other constrained environments using CoAP with OSCORE security. The memory disclosure can lead to leakage of sensitive information such as cryptographic keys or configuration secrets, undermining the confidentiality of communications and potentially enabling further attacks. The denial of service aspect can disrupt critical services relying on CoAP messaging, affecting availability. Organizations involved in sectors like energy, transportation, healthcare, and manufacturing that utilize IoT devices with libcoap are particularly vulnerable. The risk is heightened in environments where attackers can supply or manipulate configuration data remotely or locally. This vulnerability could also facilitate lateral movement or privilege escalation if sensitive memory contents are disclosed. The absence of known exploits currently provides a window for mitigation, but the potential for future exploitation necessitates proactive measures.

1. Apply patches or upgrade libcoap to version 4.3.5-patches or later as soon as they become available to eliminate the vulnerability. 2. Implement strict validation and sanitization of configuration inputs to prevent malformed or malicious data from reaching the OSCORE configuration parser. 3. Restrict access to configuration interfaces to trusted administrators and authenticated systems only, minimizing the attack surface. 4. Monitor configuration changes and logs for unusual or unauthorized modifications that could indicate exploitation attempts. 5. Employ network segmentation and access controls to limit exposure of devices running libcoap to untrusted networks or users. 6. Conduct regular security assessments and penetration testing focused on IoT and constrained device environments to detect similar vulnerabilities. 7. Educate operational teams about the risks associated with configuration management and the importance of timely patching in IoT ecosystems.