Low severity3.1NVD Advisory· Published Sep 15, 2025· Updated Apr 15, 2026
CVE-2025-59399
CVE-2025-59399
Description
libocpp before 0.28.0 allows a denial of service (EVerest crash) because a secondary exception is thrown during error message generation.
Patches
21d2ce8db1b69Using correct default price texts if online / offline. Before this change, the DefaultPriceText.priceTexts[n] was used, although this configuration key is only meant for the non default languages as a backup (#1103)
3 files changed · +33 −33
include/ocpp/v16/charge_point_configuration.hpp+1 −2 modified@@ -469,8 +469,7 @@ class ChargePointConfiguration { std::optional<KeyValue> getPriceNumberOfDecimalsForCostValuesKeyValue(); std::optional<std::string> getDefaultPriceText(const std::string& language); - TariffMessage getTariffMessageWithDefaultPriceText(); - TariffMessage getTariffMessageWithDefaultPriceTextOffline(); + TariffMessage getDefaultTariffMessage(bool offline); ConfigurationStatus setDefaultPriceText(const CiString<50>& key, const CiString<500>& value); KeyValue getDefaultPriceTextKeyValue(const std::string& language); std::optional<std::vector<KeyValue>> getAllDefaultPriceTextKeyValues();
lib/ocpp/v16/charge_point_configuration.cpp+28 −26 modified@@ -2679,47 +2679,49 @@ std::optional<std::string> ChargePointConfiguration::getDefaultPriceText(const s return std::nullopt; } -TariffMessage ChargePointConfiguration::getTariffMessageWithDefaultPriceText() { +TariffMessage ChargePointConfiguration::getDefaultTariffMessage(bool offline) { TariffMessage tariff_message; - if (this->config.contains("CostAndPrice") and this->config.at("CostAndPrice").contains("DefaultPriceText")) { - json& default_tariff = this->config["CostAndPrice"]["DefaultPriceText"]; - if (!default_tariff.contains("priceTexts")) { - return tariff_message; - } + if (!this->config.contains("CostAndPrice")) { + EVLOG_warning << "No CostAndPrice configuration found, returning empty TariffMessage."; + return tariff_message; + } - for (auto& item : default_tariff.at("priceTexts").items()) { - const auto tariff_message_item = item.value(); - if (tariff_message_item.contains("priceText") and tariff_message_item.contains("language")) { - DisplayMessageContent content; - content.message = tariff_message_item.at("priceText"); - content.language = tariff_message_item.at("language"); - tariff_message.message.push_back(content); - } + const auto& cost_and_price = this->config.at("CostAndPrice"); + const std::string key = offline ? "priceTextOffline" : "priceText"; + + if (cost_and_price.contains("DefaultPrice")) { + const auto& default_price = cost_and_price.at("DefaultPrice"); + if (default_price.contains(key)) { + DisplayMessageContent content; + content.message = default_price.at(key); + content.language = this->getLanguage(); + tariff_message.message.push_back(content); } } - return tariff_message; -} -TariffMessage ChargePointConfiguration::getTariffMessageWithDefaultPriceTextOffline() { - TariffMessage tariff_message; - if (this->config.contains("CostAndPrice") and this->config.at("CostAndPrice").contains("DefaultPriceText")) { - json& default_tariff = this->config["CostAndPrice"]["DefaultPriceText"]; + if (cost_and_price.contains("DefaultPriceText")) { + const auto& default_price_text = cost_and_price.at("DefaultPriceText"); - if (!default_tariff.contains("priceTexts")) { + if (!default_price_text.contains("priceTexts")) { return tariff_message; } - for (auto& item : default_tariff.at("priceTexts").items()) { - const auto tariff_message_item = item.value(); - if (tariff_message_item.contains("priceTextOffline") and tariff_message_item.contains("language")) { + for (auto& item : default_price_text.at("priceTexts").items()) { + const auto& message_item = item.value(); + if (message_item.contains(key) && message_item.contains("language")) { DisplayMessageContent content; - content.message = tariff_message_item.at("priceTextOffline"); - content.language = tariff_message_item.at("language"); + content.message = message_item.at(key); + content.language = message_item.at("language"); tariff_message.message.push_back(content); } } } + + if (tariff_message.message.empty()) { + EVLOG_warning << "No tariff message found in CostAndPrice configuration, returning empty TariffMessage."; + } + return tariff_message; }
lib/ocpp/v16/charge_point_impl.cpp+4 −5 modified@@ -3435,10 +3435,9 @@ EnhancedIdTagInfo ChargePointImpl::authorize_id_token(CiString<20> idTag, const const auto update_tariff_message_if_eligible = [this](EnhancedIdTagInfo& enhanced_id_tag_info) { if (enhanced_id_tag_info.id_tag_info.status == AuthorizationStatus::Accepted && this->configuration->getCustomDisplayCostAndPriceEnabled()) { - enhanced_id_tag_info.tariff_message = - this->websocket->is_connected() - ? this->configuration->getTariffMessageWithDefaultPriceText() - : this->configuration->getTariffMessageWithDefaultPriceTextOffline(); + enhanced_id_tag_info.tariff_message = this->websocket->is_connected() + ? this->configuration->getDefaultTariffMessage(false) + : this->configuration->getDefaultTariffMessage(true); } }; @@ -3517,7 +3516,7 @@ EnhancedIdTagInfo ChargePointImpl::authorize_id_token(CiString<20> idTag, const this->tariff_messages_by_id_token.erase(tariff_it); } else { EVLOG_warning << "Tariff message was not received within timeout for idToken " << idTag.get(); - enhanced_id_tag_info.tariff_message = this->configuration->getTariffMessageWithDefaultPriceText(); + enhanced_id_tag_info.tariff_message = this->configuration->getDefaultTariffMessage(false); } this->user_price_cvs.erase(idTag.get()); }
0b84d7f9fb3cFix json exceptions being thrown during handling of invalid messages (#1107)
2 files changed · +19 −5
lib/ocpp/v16/charge_point_impl.cpp+9 −1 modified@@ -1302,7 +1302,15 @@ void ChargePointImpl::message_callback(const std::string& message) { return; } catch (const json::exception& e) { EVLOG_error << "JSON exception during reception of message: " << e.what(); - this->message_dispatcher->dispatch_call_error(CallError(MessageId("-1"), "GenericError", e.what(), json({}))); + std::string error_message; + try { + error_message = json(e.what()).dump(); + } catch (const json::exception& ex) { + error_message = "JSON exception during reception of message: "; + error_message += ex.what(); + } + this->message_dispatcher->dispatch_call_error( + CallError(MessageId("-1"), "GenericError", error_message, json({}))); return; } catch (const std::runtime_error& e) { EVLOG_error << "runtime_error during reception of message: " << e.what();
lib/ocpp/v2/charge_point.cpp+10 −4 modified@@ -837,16 +837,22 @@ void ChargePoint::message_callback(const std::string& message) { } catch (const json::exception& e) { this->logging->central_system("Unknown", message); EVLOG_error << "JSON exception during reception of message: " << e.what(); + std::string error_message; + try { + error_message = json(e.what()).dump(); + } catch (const json::exception& ex) { + error_message = "JSON exception during reception of message: "; + error_message += ex.what(); + } this->message_dispatcher->dispatch_call_error( - CallError(MessageId("-1"), "RpcFrameworkError", e.what(), json({}))); + CallError(MessageId("-1"), "RpcFrameworkError", error_message, json({}))); const auto& security_event = ocpp::security_events::INVALIDMESSAGES; this->security->security_event_notification_req(CiString<50>(security_event, StringTooLarge::Truncate), - CiString<255>(message, StringTooLarge::Truncate), true, - utils::is_critical(security_event)); + error_message, true, utils::is_critical(security_event)); return; } catch (const StringConversionException& e) { this->logging->central_system("Unknown", message); - EVLOG_error << "JSON exception during reception of message: " << e.what(); + EVLOG_error << "StringConversionException during reception of message: " << e.what(); this->message_dispatcher->dispatch_call_error( CallError(MessageId("-1"), "RpcFrameworkError", e.what(), json({}))); const auto& security_event = ocpp::security_events::INVALIDMESSAGES;
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2News mentions
0No linked articles in our index yet.