CVE-2025-21591 Overview
CVE-2025-21591 is a Buffer Access with Incorrect Length Value vulnerability [CWE-805] in the jdhcpd daemon of Juniper Networks Junos OS. When DHCP snooping is enabled, an unauthenticated attacker on an adjacent network can send a Dynamic Host Configuration Protocol (DHCP) packet containing a malformed DHCP option. The malformed packet causes jdhcpd to crash, producing a Denial of Service (DoS) condition. Continuous transmission of these crafted packets results in a sustained DoS against affected devices. The flaw does not affect vSRX Series devices, which do not support DHCP snooping, nor does it impact Junos OS Evolved.
Critical Impact
An adjacent attacker can repeatedly crash the jdhcpd daemon on vulnerable Junos OS routers and switches, disabling DHCP services across affected network segments.
Affected Products
- Juniper Junos OS 23.1 before 23.2R2-S3
- Juniper Junos OS 23.4 before 23.4R2-S3
- Juniper Junos OS 24.2 before 24.2R2
Discovery Timeline
- 2025-04-09 - CVE-2025-21591 published to NVD
- 2026-01-26 - Last updated in NVD database
Technical Details for CVE-2025-21591
Vulnerability Analysis
The vulnerability resides in the jdhcpd daemon, the process that handles DHCP relay, server, and snooping functions on Junos OS. When DHCP snooping is enabled, jdhcpd parses inbound DHCP packets to validate option fields before forwarding or recording binding entries. The daemon fails to correctly validate the length value of a specific DHCP option, leading to an out-of-bounds buffer access [CWE-805]. The resulting memory access violation terminates the daemon, removing DHCP processing from the affected device until the process restarts or is restarted again by the next malformed packet.
Root Cause
The root cause is improper validation of a length field within a DHCP option. The daemon trusts the attacker-supplied length value when accessing the option payload buffer. When the declared length exceeds the actual data or buffer boundary, jdhcpd reads or writes outside the intended memory region. The condition triggers a fatal error in the daemon. Junos OS versions prior to 23.1R1 do not contain the vulnerable code path.
Attack Vector
Exploitation requires network adjacency. The attacker must reach a Layer 2 segment where DHCP snooping is active on the Juniper device. No authentication or user interaction is required. The attacker crafts a DHCP packet containing a DHCP option with a malformed length field and transmits it on the segment. The Juniper device processes the option through jdhcpd, which crashes upon parsing. Repeated transmissions sustain the outage by crashing the daemon each time it restarts.
No proof-of-concept exploit code is publicly available. Refer to the Juniper Security Advisory JSA96448 for vendor technical details.
Detection Methods for CVE-2025-21591
Indicators of Compromise
- Unexpected termination or repeated restarts of the jdhcpd process in Junos OS log files.
- Loss of DHCP address assignment for clients on segments where snooping is enabled.
- DHCP packets observed on monitored segments containing options with length fields inconsistent with their payload size.
Detection Strategies
- Monitor Junos OS syslog and chassis daemon logs for jdhcpd crashes, core file generation, and process restart events.
- Deploy packet capture on access-layer interfaces to identify malformed DHCP option lengths in client-originated traffic.
- Correlate DHCP service interruptions with the source MAC and switchport of preceding DHCP traffic to localize the attacker.
Monitoring Recommendations
- Forward Junos OS logs to a centralized log analytics or SIEM platform and alert on jdhcpd daemon failures.
- Track DHCP snooping statistics with show dhcp-security statistics and alert on sudden drops in processed packets.
- Baseline DHCP request rates per port and alert on anomalous volumes from a single source on snooped VLANs.
How to Mitigate CVE-2025-21591
Immediate Actions Required
- Upgrade Junos OS to a fixed release: 23.2R2-S3, 23.4R2-S3, 24.2R2, or later as listed in the Juniper advisory.
- Inventory all Junos OS devices with DHCP snooping enabled and prioritize patching access-layer switches and routers.
- Restrict physical and logical access to Layer 2 segments adjacent to vulnerable devices until patching is complete.
Patch Information
Juniper Networks has released fixed software in Junos OS 23.2R2-S3, 23.4R2-S3, 24.2R2, and all subsequent releases. Full upgrade instructions and downloads are available in the Juniper Security Advisory JSA96448. Junos OS releases prior to 23.1R1 and all Junos OS Evolved releases are not affected.
Workarounds
- Disable DHCP snooping on affected devices where it is not strictly required, since the vulnerable code path is reached only when snooping is enabled.
- Apply port-level controls such as restricting DHCP traffic to known trusted ports and enforcing storm-control on access interfaces.
- Use access port security features (MAC limiting, 802.1X) to reduce the population of devices that can inject crafted DHCP packets.
# Example: disable DHCP snooping on a VLAN as a temporary workaround (Junos CLI)
configure
delete vlans <vlan-name> forwarding-options dhcp-security
commit and-quit
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
