CVE-2025-68138 is a resource exhaustion vulnerability classified under CWE-770 affecting the EVerest libocpp library, which implements the Open Charge Point Protocol (OCPP) used widely in electric vehicle (EV) charging infrastructure. The vulnerability arises because pointers returned by strdup calls within the library are never freed, resulting in a memory leak each time a connection attempt is made to the charging station software. Over time, this leak can accumulate, causing memory exhaustion that leads to denial of service (DoS) conditions, rendering the charging station or management software unresponsive or crashed. The flaw affects all libocpp versions prior to 0.30.1, with the fix introduced in that version. The CVSS 3.1 score is 4.7 (medium severity), reflecting that the attack vector is adjacent network (AV:A), requires no privileges (PR:N), no user interaction (UI:N), and impacts availability (A:L) but not confidentiality or integrity. The vulnerability is particularly concerning for EV charging operators because it can disrupt charging services, potentially affecting large numbers of EV users. No public exploits have been reported, but the simplicity of the memory leak and the network exposure of charging stations make it a plausible target for attackers aiming to cause service outages. The vulnerability is systemic to the libocpp library, so any EV charging software stack using vulnerable versions is at risk.

For European organizations, this vulnerability poses a risk primarily to the availability of EV charging infrastructure. Memory exhaustion leading to denial of service can disrupt charging services, causing operational downtime and customer dissatisfaction. This is especially critical as Europe aggressively promotes EV adoption and relies on robust charging networks. Disruptions could affect public charging stations, fleet operators, and utilities managing EV infrastructure. The impact extends to potential economic losses, reduced trust in EV infrastructure reliability, and cascading effects on smart grid management if charging stations are integrated with grid control systems. Since the vulnerability does not affect confidentiality or integrity, data breaches are unlikely, but service interruptions could have significant operational consequences. Organizations operating or managing EV charging networks must consider this vulnerability in their risk assessments and incident response planning.

To mitigate this vulnerability, European EV infrastructure operators should immediately upgrade all instances of the EVerest libocpp library to version 0.30.1 or later, where the memory leak is fixed. Operators should audit their software stacks to identify any usage of vulnerable libocpp versions. Implementing runtime monitoring of memory usage on charging stations and backend systems can help detect abnormal memory growth indicative of exploitation attempts. Network segmentation and limiting access to charging station management interfaces can reduce exposure to potential attackers. Additionally, operators should establish incident response procedures to quickly reboot or isolate affected devices if memory exhaustion symptoms appear. Vendors and integrators should verify that their products incorporate the patched library version and communicate updates promptly to customers. Finally, maintaining up-to-date software inventories and vulnerability management processes will help prevent similar issues.