Use After Free in Warmcat Libwebsockets

CVE-2025-11677

Use After Free in WebSocket server implementation in lws_handshake_server in warmcat libwebsockets may allow an attacker, in specific configurations where the user provides a callback function that handles LWS_CALLBACK_HTTP_CONFIRM_UPGRADE…

Vulnerability class: Use-After-Free

EPSS: 0.001 (22.6th percentile) — read the EPSS interpretation.

Affected products

Warmcat Libwebsockets — versions 3

Weakness classification (CWE)

CWE-416 — Use After Free

References

libwebsockets.org/git/libwebsockets/commit (patch, vendor-advisory)
www.nozominetworks.com/labs/vulnerability-advisories-cve-2025-11677 (third-party-advisory)