CVE-2025-59398 is a vulnerability identified in the EVerest project's libocpp library, which implements the Open Charge Point Protocol (OCPP). The flaw arises from improper handling of JSON input sizes within the library. Specifically, libocpp versions prior to 0.26.2 utilize a CiString template class instantiated with a maximum size of 255 characters (CiString<255>). When JSON input exceeds this size, the CiString object is configured with the StringTooLarge policy set to Throw, causing an exception to be thrown. However, the library lacks proper error reporting or handling mechanisms for this condition (classified as CWE-392: Missing Report of Error Condition). As a result, when oversized JSON input is processed, it leads to an unhandled exception that crashes the EVerest application, effectively causing a denial of service (DoS). The vulnerability does not impact confidentiality or integrity but affects availability by crashing the service. The CVSS v3.1 score is 3.1 (low severity), reflecting the limited impact and the requirement for an attacker to have network access with high attack complexity and no privileges or user interaction. No known exploits are currently reported in the wild, and no patches have been linked yet. This vulnerability is relevant for any deployment using libocpp versions before 0.26.2, particularly in environments where OCPP is used to manage electric vehicle charging stations, as malformed or maliciously crafted JSON payloads exceeding 255 characters can disrupt service availability.

For European organizations, especially those involved in electric vehicle infrastructure and smart grid management, this vulnerability could disrupt charging station operations by causing the OCPP service to crash upon receiving oversized JSON messages. This denial of service could lead to temporary unavailability of charging services, impacting end-users and potentially causing operational delays. While the impact is limited to availability and does not compromise data confidentiality or integrity, the disruption could affect service reliability and customer trust. Given the increasing adoption of electric vehicles and the EU's emphasis on sustainable transport, any interruption in charging infrastructure could have broader implications for mobility and energy management. Organizations relying on libocpp in their charging station software stacks should be aware of this risk, particularly in environments exposed to untrusted networks or where attackers might send crafted JSON payloads. However, the high attack complexity and lack of known exploits reduce the immediate risk level.

To mitigate this vulnerability, European organizations should: 1) Upgrade libocpp to version 0.26.2 or later, where this issue is addressed. 2) Implement input validation and size checks on JSON payloads before processing to ensure they do not exceed expected limits, thereby preventing exceptions from being thrown. 3) Enhance error handling in the OCPP implementation to gracefully manage exceptions caused by oversized inputs, avoiding service crashes. 4) Deploy network-level protections such as firewalls or intrusion detection systems configured to detect and block anomalous or oversized JSON payloads targeting OCPP endpoints. 5) Monitor logs and application behavior for signs of repeated crashes or malformed input attempts, enabling early detection of exploitation attempts. 6) Where possible, restrict network access to OCPP services to trusted sources to reduce exposure to malicious inputs. These steps go beyond generic advice by focusing on proactive input validation, robust error handling, and network-level controls tailored to the OCPP protocol context.