What is the CVSS score of CVE-2025-68139?

CVE-2025-68139 has a CVSS 3.1 base score of 4.3 (Medium). CVSS vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N. EPSS exploitation probability: 0.0%.

Which versions of Everest are affected by CVE-2025-68139?

Organizations using all should be aware of moderate risk from CVE-2025-68139 rated CVSS 4.3. Exploitation could compromise the security of affected deployments.

How to fix or mitigate CVE-2025-68139?

Within 30 days: Identify affected systems running all and apply vendor patches as part of regular patch cycle. Monitor vendor channels for patch availability.

Everest CVE-2025-68139

MEDIUM

Session Fixation (CWE-384)

2026-01-21 security-advisories@github.com

Information Disclosure Everest

4.3

CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

4.3 MEDIUM

AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Attack Vector

Adjacent

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

Low

Availability

None

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 21:54 vuln.today

CVE Published

Jan 21, 2026 - 20:16 nvd

MEDIUM 4.3

DescriptionGitHub Advisory

EVerest is an EV charging software stack. In all versions up to and including 2025.12.1, the default value for terminate_connection_on_failed_response is False, which leaves the responsibility for session and connection termination to the EV. In this configuration, any errors encountered by the module are logged but do not trigger countermeasures such as session and connection reset or termination. This could be abused by a malicious user in order to exploit other weaknesses or vulnerabilities. While the default will stay at the setting that is described as potentially problematic in this reported issue, a mitigation is available by changing the terminate_connection_on_failed_response setting to true. However this cannot be set to this value by default since it can trigger errors in vehicle ECUs requiring ECU resets and lengthy unavailability in charging for vehicles. The maintainers judge this to be a much more important workaround then short-term unavailability of an EVSE, therefore this setting will stay at the current value.

AnalysisAI

Technical ContextAI

Classified as CWE-384 (Session Fixation). Affects Everest. EVerest is an EV charging software stack. In all versions up to and including 2025.12.1, the default value for terminate_connection_on_failed_response is False, which leaves the responsibility for session and connection termination to the EV. In this configuration, any errors encountered by the module are logged but do not trigger countermeasures such as session and connection reset or termination. This could be abused by a malicious user in order to exploit other weaknesses or vulnerabiliti

RemediationAI

Monitor vendor advisories for a patch.

CVE-2025-68139 vulnerability details – vuln.today

Back

Everest CVE-2025-68139

Severity by source

CVSS VectorGitHub Advisory

Lifecycle Timeline

DescriptionGitHub Advisory

AnalysisAI

Technical ContextAI

RemediationAI

Share

External POC / Exploit Code