Overview
CVE-2025-64334 is a high-severity vulnerability affecting Suricata, a popular network IDS, IPS, and NSM engine. This vulnerability, identified in versions 8.0.0 to before 8.0.2, stems from improper handling of compressed HTTP data, which can lead to unbounded memory growth during decompression. An attacker could potentially exploit this flaw to cause a denial-of-service (DoS) condition by exhausting the system’s memory resources. A patch is available in version 8.0.2.
Technical Details
The vulnerability resides in the HTTP decompression functionality of Suricata. When processing compressed HTTP data (specifically when using LZMA compression), the software fails to properly manage memory allocation. This can cause the system to allocate excessive amounts of memory when decompressing malicious or crafted HTTP responses, eventually leading to resource exhaustion. The root cause is an incomplete or missing size check during decompression, allowing the decompressor to allocate more memory than intended or available.
CVSS Analysis
This vulnerability has been assigned a CVSS score of 7.5, indicating a high level of severity.
- CVSS Score: 7.5
- Vector: (Details of the CVSS vector would be provided here based on the actual CVSS vector string. For example: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
Possible Impact
Exploitation of CVE-2025-64334 can result in a denial-of-service (DoS) attack. A successful attack could cause the Suricata instance to crash or become unresponsive, disrupting network monitoring and security operations. The impact is heightened in environments with high traffic volumes, as they are more susceptible to rapid memory exhaustion.
Mitigation and Patch Steps
The recommended mitigation is to upgrade Suricata to version 8.0.2 or later. This version contains a patch that addresses the memory management issue.
If upgrading is not immediately feasible, the following workarounds can be implemented:
- Disable LZMA Decompression: Configure Suricata to disable LZMA decompression. This will prevent the vulnerable code from being executed. The specifics of how to disable LZMA decompression will be detailed in the Suricata documentation.
- Limit Response Body Size: Implement a limit on the size of HTTP response bodies that Suricata processes. This can help to mitigate the impact of unbounded memory growth. The `response-body-limit` configuration option can be used for this purpose. Check Suricata documentation for configuration details.
Upgrade Instructions:
Refer to the official Suricata documentation for detailed upgrade instructions appropriate for your operating system and installation method.
