CVE-2025-29916

Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. Datasets declared in rules have an option to specify the `hashsize` to use. This size setting isn't properly limited, so the hash table allocation can be large. Untrusted rules can lead to large memory allocations, potentially leading to denial of service due to resource starvation. This vulnerability is fixed in 7.0.9.

CVSS v3 6.2 MEDIUM

6.2^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.5 / Impact : 3.6

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/OISF/suricata/commit/a7713db709b8a0be5fc5e5809ab58e9b14a16e85	Patch
https://github.com/OISF/suricata/security/advisories/GHSA-27g3-pmvp-j9cv	Vendor Advisory
https://redmine.openinfosecfoundation.org/issues/7615	Permissions Required

Configurations

Configuration 1 (hide)

cpe:2.3:a:oisf:suricata:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2025-04-10 20:15

Updated : 2025-05-29 15:48

NVD link : CVE-2025-29916

Mitre link : CVE-2025-29916

CVE.ORG link : CVE-2025-29916

JSON object : View

Products Affected

oisf

suricata

CWE

CWE-770

Allocation of Resources Without Limits or Throttling

{"id": "CVE-2025-29916", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "[email protected]", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.2, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 2.5}, {"type": "Primary", "source": "[email protected]", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 1.8}]}, "published": "2025-04-10T20:15:23.733", "references": [{"url": "https://github.com/OISF/suricata/commit/a7713db709b8a0be5fc5e5809ab58e9b14a16e85", "tags": ["Patch"], "source": "[email protected]"}, {"url": "https://github.com/OISF/suricata/security/advisories/GHSA-27g3-pmvp-j9cv", "tags": ["Vendor Advisory"], "source": "[email protected]"}, {"url": "https://redmine.openinfosecfoundation.org/issues/7615", "tags": ["Permissions Required"], "source": "[email protected]"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "[email protected]", "description": [{"lang": "en", "value": "CWE-770"}]}], "descriptions": [{"lang": "en", "value": "Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. Datasets declared in rules have an option to specify the `hashsize` to use. This size setting isn't properly limited, so the hash table allocation can be large. Untrusted rules can lead to large memory allocations, potentially leading to denial of service due to resource starvation. This vulnerability is fixed in 7.0.9."}, {"lang": "es", "value": "Suricata es un sistema de detecci\u00f3n de intrusiones de red, un sistema de prevenci\u00f3n de intrusiones y un motor de monitoreo de seguridad de red. Los conjuntos de datos declarados en las reglas tienen una opci\u00f3n para especificar el \u00abtama\u00f1o de hash\u00bb a utilizar. Esta configuraci\u00f3n de tama\u00f1o no est\u00e1 limitada adecuadamente, por lo que la asignaci\u00f3n de la tabla hash puede ser grande. Las reglas no confiables pueden generar grandes asignaciones de memoria, lo que potencialmente puede derivar en una denegaci\u00f3n de servicio debido a la falta de recursos. Esta vulnerabilidad se corrigi\u00f3 en 7.0.9."}], "lastModified": "2025-05-29T15:48:21.190", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:oisf:suricata:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "9747C005-47BE-4477-9599-5B4177C3579E", "versionEndExcluding": "7.0.9"}], "operator": "OR"}]}], "sourceIdentifier": "[email protected]"}