CVE-2025-68138 is a resource exhaustion vulnerability classified under CWE-770, affecting the EVerest libocpp library, which implements the Open Charge Point Protocol (OCPP) in C++. The vulnerability arises because pointers returned by strdup calls during connection attempts are not freed, resulting in a memory leak. Each new connection attempt allocates memory that is never released, causing gradual memory exhaustion. This can lead to denial of service (DoS) conditions where the EV charging software becomes unresponsive or crashes due to depleted memory resources. The flaw affects all libocpp versions prior to 0.30.1, which has addressed the issue by properly freeing allocated memory. The vulnerability requires only network access (AV:A) and no privileges or user interaction, making it remotely exploitable by an unauthenticated attacker capable of initiating connection attempts. The impact is limited to availability, with no direct compromise of confidentiality or integrity. No known exploits have been reported in the wild as of the publication date. The vulnerability is particularly relevant to EV charging infrastructure operators using EVerest everest-core software with vulnerable libocpp versions. Given the increasing deployment of EV charging stations across Europe, this vulnerability could disrupt charging services if exploited or triggered inadvertently by high connection volumes. The CVSS v3.1 base score is 4.7 (medium severity), reflecting the moderate impact and ease of exploitation without authentication. The vulnerability highlights the importance of resource management in embedded and network-facing components of critical infrastructure software stacks.

For European organizations, especially those operating EV charging infrastructure, this vulnerability poses a risk of denial of service through memory exhaustion. Disruption of charging services can affect EV users, leading to operational downtime and customer dissatisfaction. Critical infrastructure operators and service providers may face reputational damage and potential regulatory scrutiny if charging availability is compromised. The impact is primarily on availability, with no direct data breach or integrity loss. However, prolonged outages could cascade into broader operational challenges, especially in countries with high EV adoption where charging stations are integral to transportation networks. The vulnerability could also increase maintenance costs due to the need for emergency patches or hardware resets. Given the growing reliance on EV infrastructure in Europe, ensuring stable and secure operation is vital to support environmental and transportation policies.

The primary mitigation is to upgrade all affected EVerest libocpp components to version 0.30.1 or later, where the memory leak has been fixed. Organizations should audit their EV charging software deployments to identify vulnerable versions and apply patches promptly. Implementing monitoring and alerting on memory usage of charging station software can help detect abnormal resource consumption early. Network-level controls can limit the rate of connection attempts to reduce the risk of triggering memory exhaustion. Additionally, operators should conduct regular software integrity checks and vulnerability assessments on their EV infrastructure. In environments where immediate patching is not feasible, restarting affected services periodically can temporarily mitigate memory exhaustion. Coordination with EVerest software vendors for timely updates and security advisories is recommended. Finally, incorporating resource usage testing during software updates can prevent similar issues in future releases.