EVerest Out-of-Bounds Access Vulnerability in DC_ChargeLoopRes Message Leading to Null Pointer Dereference

A null pointer dereference vulnerability has been identified in EVerest, an EV charging software stack, prior to version 2025.10.0. The issue arises during the deserialization of a 'DC_ChargeLoopRes' message that includes 'Receipt' and 'TaxCosts'. The vulnerability is triggered when the 'tax_costs' vector in the 'Receipt' structure is accessed out of bounds, leading to a crash. This occurs in a specific conversion method, causing the module to terminate and shutting down all EVerest processes, impacting all Electric Vehicle Supply Equipment (EVSE).

Impact

Exploitation of this vulnerability causes the EVerest module to crash, terminate, and shut down all other modules, disrupting all EVSE operations.

Reproduction

The vulnerability can be reproduced by sending a 'DC_ChargeLoopRes' message that includes a 'Receipt' and one 'TaxCost' over a plain TCP connection to the EVSE's ISO D20 port. This can be done by first sending a Session Description Protocol (SDP) request to open a connection, and then transmitting the payload that triggers the vulnerability. The EVerest module will crash and exit with a status indicating a segmentation fault, which can be observed in the application's log.

Remediation

Users can upgrade to EVerest version 2025.10.0 or later to address this vulnerability.