Cybersecurity Vulnerabilities

CVE-2025-64335: Critical NULL Dereference Vulnerability in Suricata Network IDS/IPS

November 27, 2025 - By 

Overview

CVE-2025-64335 is a high-severity vulnerability affecting Suricata, a popular open-source network Intrusion Detection System (IDS), Intrusion Prevention System (IPS), and Network Security Monitoring (NSM) engine. This vulnerability, discovered in versions 8.0.0 up to and including 8.0.1, can lead to a NULL dereference, potentially causing a denial-of-service (DoS) condition. The vulnerability occurs when the entropy keyword is used in conjunction with base64_data in Suricata rules.

Technical Details

The root cause of CVE-2025-64335 lies in the way Suricata handles the combination of the entropy keyword and the base64_data option within its rule engine. Specifically, under certain conditions, the program attempts to dereference a NULL pointer when processing rules that utilize these features together. This NULL dereference results in the Suricata process crashing, effectively halting its network monitoring and protection capabilities.

The specific commit that fixes this issue can be found on GitHub: c935f08cd988600fd0a4f828a585b181dd5de012.

CVSS Analysis

This vulnerability has been assigned a CVSS score of 7.5, indicating a HIGH severity. This score reflects the potential for a denial-of-service attack. The breakdown of the CVSS score is as follows:

  • CVSS Score: 7.5
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Possible Impact

The primary impact of CVE-2025-64335 is a denial-of-service (DoS) condition. A successful exploit of this vulnerability will cause the Suricata process to crash, interrupting network traffic analysis and potentially leaving the network vulnerable to attacks that Suricata would normally detect and prevent. This is especially critical for environments relying on Suricata for real-time threat detection and response.

Mitigation or Patch Steps

The recommended solution is to upgrade to Suricata version 8.0.2 or later. This version contains the necessary patch to address the NULL dereference vulnerability.

  1. Upgrade Suricata: The most effective solution is to upgrade your Suricata installation to version 8.0.2 or later. Follow the official Suricata upgrade instructions for your specific operating system and deployment environment.
  2. Workaround (Temporary): If upgrading is not immediately possible, a temporary workaround is to disable any Suricata rules that use the entropy keyword in conjunction with the base64_data option. This will prevent the vulnerable code path from being executed. You can identify such rules by inspecting your Suricata rule sets. Remember to re-enable these rules after upgrading.

References

Cybersecurity specialist and founder of Gowri Shankar Infosec - a professional blog dedicated to sharing actionable insights on cybersecurity, data protection, server administration, and compliance frameworks including SOC 2, PCI DSS, and GDPR.

Related Posts

CVE-2025-61932 Critical Remote Code Execution Vulnerability in LANSCOPE Endpoint Manager

CVE-2025-61932: Critical Remote Code Execution Vulnerability in LANSCOPE Endpoint Manager

October 23, 2025

Leave a Reply

Your email address will not be published. Required fields are marked *