CVE-2025-6566
Published: 24 June 2025
Summary
CVE-2025-6566 is a medium-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Oatpp Oat\+\+. Its CVSS base score is 5.5 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 20.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
A vulnerability has been identified in oatpp Oat++ versions up to 1.3.1 within the deserializeArray function of src/oatpp/json/Deserializer.cpp. The issue stems from improper handling during JSON array deserialization, resulting in a stack-based buffer overflow that maps to CWE-119, CWE-121, and CWE-787. The flaw received a CVSS 4.0 score of 5.5 and can be triggered over the network.
An unauthenticated remote attacker can supply crafted input to the affected deserialization routine to trigger the overflow. Publicly disclosed exploit material demonstrates the ability to induce a crash, with the provided CVSS vector indicating limited impact confined to availability.
The associated EPSS score remains flat at 0.0129 with no material increase observed after disclosure. References point to a GitHub issue and crash reproduction data but contain no details on patches or configuration-based mitigations.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-19006
Vulnerability details
A vulnerability was found in oatpp Oat++ up to 1.3.1. It has been declared as critical. This vulnerability affects the function deserializeArray of the file src/oatpp/json/Deserializer.cpp. The manipulation leads to stack-based buffer overflow. The attack can be initiated remotely. The…
more
exploit has been disclosed to the public and may be used.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote unauthenticated stack-based buffer overflow in Oat++ JSON deserializer (deserializeArray) enables exploitation of public-facing web framework applications for initial access (T1190) and denial of service via application exploitation (T1499.004).
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Memory protections (e.g., W^X, ASLR) make exploitation of buffer-boundary violations far harder to turn into code execution.
Ongoing control assessments and code testing (static/dynamic analysis, fuzzing) surface memory buffer restriction failures, which are then remediated before release.
Managed runtimes used by platform-independent applications (e.g., JVM, CLR) enforce memory safety, preventing most buffer overflows that require direct memory manipulation.
Detects exploitation attempts that produce memory corruption, crashes, or anomalous behavior.