SB2025112740 - Multiple vulnerabilities in Suricata
Published: November 27, 2025
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 7 secuirty vulnerabilities.
1) NULL pointer dereference (CVE-ID: CVE-2025-64335)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a NULL pointer dereference error when the entropy keyword is used in conjunction with base64_data. A remote attacker can pass specially crafted data to the application and perform a denial of service (DoS) attack.
2) Resource exhaustion (CVE-ID: CVE-2025-64334)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to application does not properly control consumption of internal resources when handling compressed HTTP data. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.
3) Stack-based buffer overflow (CVE-ID: CVE-2025-64333)
The vulnerability allows a remote attacker to perform a denial of service attack.
The vulnerability exists due to a boundary error when handling large HTTP content type. A remote attacker can trigger a stack-based buffer overflow and crash the application.
4) Stack-based buffer overflow (CVE-ID: CVE-2025-64332)
The vulnerability allows a remote attacker to perform a denial of service attack.
The vulnerability exists due to a boundary error when handling compressed data if SWF decompression is enabled. A remote attacker can trigger a stack-based buffer overflow and perform a denial of service attack.
5) Stack-based buffer overflow (CVE-ID: CVE-2025-64331)
The vulnerability allows a remote attacker to perform a denial of service attack.
The vulnerability exists due to a boundary error on large HTTP file transfers. A remote attacker can trigger a stack-based buffer overflow and perform a denial of service attack.
Successful exploitation of this vulnerability requires that the HTTP response body limit has been increased and that logging of printable HTTP bodies was enabled.
6) Heap-based buffer overflow (CVE-ID: CVE-2025-64330)
The vulnerability allows a remote attacker to perform a denial of service attack.
The vulnerability exists due to a boundary error when logging the verdict in eve.alert and eve.drop records. A remote attacker can generate multiple alerts to fill the per packet alert queue and perform a denial of service attack.
7) Stack-based buffer overflow (CVE-ID: CVE-2025-64344)
The vulnerability allows a remote attacker to perform a denial of service attack.
The vulnerability exists due to a boundary error when handling Lua scripts. A remote attacker can trick the victim into using a specially crafted Lua script, trigger a stack-based buffer overflow and crash the application.
Remediation
Install update from vendor's website.
References
- https://github.com/OISF/suricata/security/advisories/GHSA-v299-h7p3-q4f2
- https://redmine.openinfosecfoundation.org/issues/7959
- https://github.com/OISF/suricata/security/advisories/GHSA-r5jf-v2gx-gx8w
- https://redmine.openinfosecfoundation.org/issues/7980
- https://github.com/OISF/suricata/security/advisories/GHSA-537h-xxmx-v87m
- https://redmine.openinfosecfoundation.org/issues/8056
- https://github.com/OISF/suricata/security/advisories/GHSA-p32q-7wcp-gv92
- https://redmine.openinfosecfoundation.org/issues/8055
- https://github.com/OISF/suricata/security/advisories/GHSA-v32w-j79x-pfj2
- https://redmine.openinfosecfoundation.org/issues/8004
- https://github.com/OISF/suricata/security/advisories/GHSA-83v7-gm34-f437
- https://redmine.openinfosecfoundation.org/issues/8021
- https://github.com/OISF/suricata/security/advisories/GHSA-93fh-cgmc-w3rx
- https://redmine.openinfosecfoundation.org/issues/8065