CVE-2025-30651 Overview
CVE-2025-30651 is a Buffer Access with Incorrect Length Value vulnerability [CWE-805] in the routing protocol daemon (rpd) of Juniper Networks Junos OS and Junos OS Evolved. An unauthenticated, network-based attacker can trigger a Denial of Service (DoS) by sending a specific ICMPv6 packet to an interface configured with protocols router-advertisement. The malformed packet causes rpd to crash and restart. Sustained delivery of the packet maintains a continuous DoS condition. The issue affects only systems configured with IPv6 and impacts routing availability on affected devices.
Critical Impact
A remote, unauthenticated attacker can repeatedly crash the routing protocol daemon on Juniper devices with IPv6 router advertisement enabled, disrupting routing operations and network availability.
Affected Products
- Juniper Junos OS (all versions before 21.2R3-S9, and 21.4, 22.2, 22.4, 23.2, 23.4 prior to fixed releases)
- Juniper Junos OS Evolved (all versions before 21.2R3-S9-EVO, and 21.4-EVO, 22.2-EVO, 22.4-EVO, 23.2-EVO, 23.4-EVO prior to fixed releases)
- Only systems configured with IPv6 and protocols router-advertisement
Discovery Timeline
- 2025-04-09 - CVE-2025-30651 published to NVD
- 2026-01-23 - Last updated in NVD database
Technical Details for CVE-2025-30651
Vulnerability Analysis
The vulnerability resides in the routing protocol daemon (rpd), the Junos process responsible for managing routing protocols including IPv6 Router Advertisement (RA). When rpd processes an incoming ICMPv6 packet on an interface configured with protocols router-advertisement, it accesses a buffer using an incorrect length value. This results in a memory access fault and a daemon crash. After the crash, rpd restarts automatically, but continued transmission of the triggering packet produces a sustained outage of routing functions on the device.
Root Cause
The defect is classified as CWE-805: Buffer Access with Incorrect Length Value. The rpd code path that parses ICMPv6 router advertisement traffic uses a length value that does not correctly correspond to the underlying buffer, causing memory access outside the intended bounds and a process termination signal.
Attack Vector
An attacker requires only network reachability to an IPv6-enabled interface with router advertisement configured. No authentication or user interaction is needed. A crafted ICMPv6 packet, when delivered to the vulnerable interface, terminates rpd. By repeating the packet at an appropriate rate, the attacker prevents rpd from resuming stable operation and degrades or eliminates routing on the device. Systems without IPv6 configured are not affected.
No public proof-of-concept code is available. Technical details and packet specifics are described in the Juniper Security Advisory JSA96461.
Detection Methods for CVE-2025-30651
Indicators of Compromise
- Repeated rpd daemon crashes and restarts visible in Junos system logs (/var/log/messages, chassisd and rpd entries)
- Unexpected core files generated by rpd on devices with IPv6 router advertisement configured
- Routing protocol session flaps (BGP, OSPF, IS-IS) coinciding with rpd restarts
- Inbound ICMPv6 traffic spikes targeting interfaces running protocols router-advertisement
Detection Strategies
- Monitor Junos syslog for rpd termination messages such as RPD_TASK_REINIT or process restart events
- Correlate rpd crashes with inbound ICMPv6 packet flows on RA-enabled interfaces
- Inspect generated core files on the routing engine for rpd signatures following an outage
Monitoring Recommendations
- Forward Junos logs to a centralized logging or SIEM platform and alert on repeated rpd restarts within short time windows
- Capture NetFlow/IPFIX or sFlow data for ICMPv6 traffic to identify abnormal sources targeting RA interfaces
- Track BGP and IGP session stability metrics and trigger investigation when flaps align with rpd events
How to Mitigate CVE-2025-30651
Immediate Actions Required
- Inventory all Junos OS and Junos OS Evolved devices and identify those running affected versions with IPv6 and protocols router-advertisement configured
- Apply fixed software releases from Juniper as documented in JSA96461
- Restrict ICMPv6 traffic to RA-enabled interfaces using firewall filters where operationally feasible
- Monitor rpd stability and routing session health during and after remediation
Patch Information
Juniper has released fixed versions addressing CVE-2025-30651. Upgrade Junos OS to 21.2R3-S9, 21.4R3-S10, 22.2R3-S6, 22.4R3-S4, 23.2R2-S2, 23.4R2, or later. Upgrade Junos OS Evolved to 21.2R3-S9-EVO, 21.4R3-S10-EVO, 22.2R3-S6-EVO, 22.4R3-S4-EVO, 23.2R2-S2-EVO, 23.4R2-EVO, or later. Refer to the Juniper Security Advisory JSA96461 for complete fix details.
Workarounds
- Where IPv6 router advertisement is not required, remove protocols router-advertisement from interface configurations
- Apply ingress firewall filters on affected interfaces to limit or rate-limit untrusted ICMPv6 traffic
- Restrict IPv6 segments adjacent to vulnerable interfaces to trusted devices only until patches are applied
# Example: rate-limit ICMPv6 on affected interfaces (illustrative)
set firewall family inet6 filter LIMIT-ICMPv6 term ra-limit from next-header icmp6
set firewall family inet6 filter LIMIT-ICMPv6 term ra-limit then policer ICMP6-POLICER
set firewall family inet6 filter LIMIT-ICMPv6 term default then accept
set interfaces <interface> unit 0 family inet6 filter input LIMIT-ICMPv6
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
