Bug 2413716 (CVE-2025-62689)

Summary: CVE-2025-62689 libmicrohttpd: GNU libmicrohttpd null pointer dereference
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedKeywords: Security
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A null pointer dereference vector has been discovered in GNU libmicrohttpd. A specially crafted packet sent by an attacker could cause a denial-of-service (DoS) in the application using libmicrohttpd.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2413883, 2413885, 2413887, 2413889, 2413891, 2413893, 2413894, 2413895, 2413896, 2413897, 2413898    
Bug Blocks:    

Description OSIDB Bzimport 2025-11-10 05:01:39 UTC 
NULL pointer dereference vulnerability exists in GNU libmicrohttpd v1.0.2 and earlier. The vulnerability was fixed in commit ff13abc on the master branch of the libmicrohttpd Git repository, after the v1.0.2 tag. A specially crafted packet sent by an attacker could cause a denial-of-service (DoS) condition.