Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2025-30645

CVE-2025-30645: Juniper Junos SRX Series DoS Vulnerability

CVE-2025-30645 is a NULL pointer dereference DoS vulnerability in Juniper Junos SRX Series that crashes the flowd process via DS-Lite tunnel traffic. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2025-30645 Overview

A NULL Pointer Dereference vulnerability exists in the flow daemon (flowd) of Juniper Networks Junos OS on SRX Series firewalls. This vulnerability allows an unauthenticated attacker to send specific, valid control traffic through a Dual-Stack (DS) Lite tunnel, causing the flowd process to crash with a segmentation fault. The resulting Denial of Service (DoS) condition causes network outages until the flowd process automatically restarts. Continuous exploitation of this vulnerability can create a sustained DoS condition, severely impacting network availability.

Critical Impact

Unauthenticated remote attackers can cause persistent network outages on Juniper SRX Series firewalls by repeatedly triggering flowd process crashes through maliciously crafted DS-Lite tunnel traffic.

Affected Products

  • Juniper Junos OS on SRX Series (all versions before 21.2R3-S9)
  • Juniper Junos OS on SRX Series (from 21.4 before 21.4R3-S9)
  • Juniper Junos OS on SRX Series (from 22.2 before 22.2R3-S5)
  • Juniper Junos OS on SRX Series (from 22.4 before 22.4R3-S6)
  • Juniper Junos OS on SRX Series (from 23.2 before 23.2R2-S3)
  • Juniper Junos OS on SRX Series (from 23.4 before 23.4R2)
  • Affected hardware: SRX300, SRX320, SRX340, SRX345, SRX380, SRX1500, SRX1600, SRX2300, SRX4100, SRX4120, SRX4200, SRX4300, SRX4600, SRX4700, SRX5400, SRX5600, SRX5800

Discovery Timeline

  • April 9, 2025 - CVE-2025-30645 published to NVD
  • January 26, 2026 - Last updated in NVD database

Technical Details for CVE-2025-30645

Vulnerability Analysis

This vulnerability is classified as CWE-476 (NULL Pointer Dereference), a memory safety issue that occurs when the flowd process attempts to dereference a pointer that has not been properly initialized or has been set to NULL. The flowd daemon is a critical component in Juniper SRX Series firewalls responsible for managing packet flow processing and stateful inspection.

When specific, valid control traffic needs to be transmitted through a DS-Lite (Dual-Stack Lite) tunnel, the flowd process fails to properly validate pointer references before use. DS-Lite is an IPv6 transition technology that encapsulates IPv4 traffic within IPv6 packets, allowing IPv4-only applications to function over IPv6-only networks. The vulnerability is triggered during the processing of control traffic destined for DS-Lite tunnel egress, where improper pointer handling leads to a segmentation fault.

The impact is significant as the flowd process crash results in immediate network disruption. While the process will automatically restart, an attacker can continuously send the triggering traffic to maintain a persistent DoS condition, effectively rendering the firewall non-functional.

Root Cause

The root cause is a NULL pointer dereference in the flowd daemon's DS-Lite tunnel processing logic. When handling outbound control traffic destined for a DS-Lite tunnel, the code path fails to verify that a critical pointer is valid before attempting to use it. This results in a segmentation fault when the process attempts to read or write to memory address 0x0 (NULL), causing immediate process termination.

Attack Vector

The attack vector is network-based and requires no authentication or user interaction. An attacker must be able to send network traffic that will be processed by the SRX firewall and routed through a configured DS-Lite tunnel. The attack exploits the following conditions:

  1. The target SRX Series firewall must have DS-Lite tunnel configuration active
  2. The attacker sends specific control traffic that triggers the vulnerable code path
  3. When the flowd process attempts to send this traffic out of the DS-Lite tunnel, the NULL pointer dereference occurs
  4. The flowd process crashes, causing network connectivity loss until restart

The attack can be sustained by continuously triggering the vulnerability, preventing the firewall from maintaining stable operation.

Detection Methods for CVE-2025-30645

Indicators of Compromise

  • Unexpected flowd process crashes or restarts visible in system logs
  • Repeated segmentation fault entries in /var/log/messages associated with the flowd daemon
  • Intermittent network connectivity issues correlating with DS-Lite tunnel traffic patterns
  • High frequency of flowd core dump files generated in system diagnostics

Detection Strategies

  • Monitor Junos OS system logs for flowd process crash events using show system processes extensive | match flowd
  • Implement SNMP traps for process restart notifications on SRX Series devices
  • Use Junos Space or other network management tools to alert on abnormal process behavior
  • Deploy network traffic analysis to identify unusual control traffic patterns destined for DS-Lite tunnels

Monitoring Recommendations

  • Enable enhanced logging for the flow daemon to capture crash details and potential attack indicators
  • Configure syslog forwarding to centralized SIEM platforms for correlation and alerting
  • Establish baseline metrics for flowd process stability to detect anomalous restart patterns
  • Implement automated alerting when flowd crash frequency exceeds normal operational thresholds

How to Mitigate CVE-2025-30645

Immediate Actions Required

  • Identify all SRX Series firewalls running vulnerable Junos OS versions in your environment
  • Prioritize patching for devices with active DS-Lite tunnel configurations
  • Review network architecture to limit exposure of SRX devices to untrusted traffic sources
  • Implement rate limiting or access controls on interfaces handling DS-Lite tunnel traffic where feasible

Patch Information

Juniper Networks has released security updates addressing this vulnerability. Upgrade to the following fixed versions based on your current release train:

  • For versions before 21.2: Upgrade to 21.2R3-S9 or later
  • For 21.4 versions: Upgrade to 21.4R3-S9 or later
  • For 22.2 versions: Upgrade to 22.2R3-S5 or later
  • For 22.4 versions: Upgrade to 22.4R3-S6 or later
  • For 23.2 versions: Upgrade to 23.2R2-S3 or later
  • For 23.4 versions: Upgrade to 23.4R2 or later

For complete patch details and download information, refer to the Juniper Security Advisory JSA96455.

Workarounds

  • If DS-Lite functionality is not required, consider disabling DS-Lite tunnel configuration until patching can be completed
  • Implement strict access control lists to limit sources that can send traffic processed through DS-Lite tunnels
  • Deploy redundant firewall configurations to maintain network availability during potential exploitation attempts
  • Consider implementing out-of-band management access to maintain device control during DoS conditions
bash
# Verify current Junos OS version
show version

# Check for DS-Lite configuration
show configuration services softwire

# Monitor flowd process status
show system processes extensive | match flowd

# Review system logs for crash events
show log messages | match flowd

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne