CVE-2025-30659: Juniper Junos SRX Series DoS Vulnerability

CVE-2025-30659 Overview

CVE-2025-30659 is an Improper Handling of Length Parameter Inconsistency vulnerability [CWE-130] in the Packet Forwarding Engine (PFE) of Juniper Networks Junos OS on SRX Series firewalls. An unauthenticated, network-based attacker can crash the PFE by sending a specifically malformed packet to a device configured for Secure Vector Routing (SVR). The PFE restarts after the crash, causing service interruption. Sustained or repeated exploitation produces a persistent Denial-of-Service condition on the affected SRX appliance. Juniper disclosed the issue in advisory JSA96470, which covers Junos OS releases 21.4 through 24.2 on the full SRX product family.

Critical Impact

An unauthenticated, remote attacker can repeatedly crash the Packet Forwarding Engine of an SRX firewall configured for SVR, disrupting traffic forwarding and producing a sustained Denial-of-Service.

Affected Products

• Juniper Junos OS on SRX Series — all 21.4 versions
• Juniper Junos OS on SRX Series — 22.2 versions before 22.2R3-S6, 22.4 versions before 22.4R3-S6, 23.2 versions before 23.2R2-S3
• Juniper Junos OS on SRX Series — 23.4 versions before 23.4R2-S4 and 24.2 versions before 24.2R2, across SRX300/320/340/345/380, SRX1500/1600, SRX2300, SRX4100/4120/4200/4300/4600/4700, and SRX5400/5600/5800 platforms

Discovery Timeline

• 2025-04-09 - CVE-2025-30659 published to NVD
• 2026-01-23 - Last updated in NVD database

Technical Details for CVE-2025-30659

Vulnerability Analysis

The vulnerability resides in the Packet Forwarding Engine of Junos OS on SRX Series devices that have Secure Vector Routing enabled. SVR is the underlying overlay technology used by Juniper's Session Smart Routing for application-aware steering across WAN paths. When the PFE parses an incoming SVR packet, it relies on length fields embedded in the packet header to bound subsequent processing. The PFE does not adequately validate the consistency between declared length parameters and the actual packet contents. A malformed packet whose declared length is inconsistent with its real payload size triggers the parsing fault, terminating the PFE process. The PFE then restarts, dropping traffic until forwarding state is reestablished. Repeated packets sustain the outage without authentication or user interaction.

Root Cause

The root cause is improper handling of length parameter inconsistency [CWE-130] in PFE code paths that process SVR-encapsulated traffic. The parser trusts a length field that an attacker can manipulate, leading to a memory access or state inconsistency that the PFE cannot recover from gracefully. Junos OS releases earlier than 21.4 do not contain the affected SVR code paths and are therefore not impacted.

Attack Vector

Exploitation requires only network reachability to an interface processing SVR traffic on a vulnerable SRX. The attacker sends a single specifically malformed SVR packet to trigger a PFE crash and restart. No credentials, configuration access, or user interaction are required. Devices without SVR configured are not affected. Refer to the Juniper Security Advisory JSA96470 for vendor-confirmed technical details.

Detection Methods for CVE-2025-30659

Indicators of Compromise

• Unexpected PFE process restarts logged in messages or chassisd logs on SRX devices running an affected Junos OS version with SVR enabled.
• Brief traffic forwarding interruptions correlating with inbound traffic on SVR-handling interfaces.
• Core files produced by the PFE shortly after receiving traffic from untrusted sources.

Detection Strategies

• Inventory all SRX devices and confirm Junos OS version against the fixed releases listed in JSA96470 to identify exposed appliances.
• Audit configurations for SVR (Session Smart / Secure Vector Routing) features and identify interfaces that terminate SVR sessions from untrusted networks.
• Correlate PFE restart events with packet captures on SVR interfaces to identify malformed packet patterns preceding the crash.

Monitoring Recommendations

• Forward Junos syslog output and chassis daemon events to a centralized log platform and alert on repeated PFE restarts on the same device.
• Monitor SNMP traps and operational state changes for jnxFruOK transitions and PFE liveness on SRX chassis.
• Track interface counter anomalies and traffic black-holing on SVR-enabled interfaces as a secondary signal of exploitation attempts.

How to Mitigate CVE-2025-30659

Immediate Actions Required

• Upgrade affected SRX devices to a fixed Junos OS release: 22.2R3-S6, 22.4R3-S6, 23.2R2-S3, 23.4R2-S4, 24.2R2, or any subsequent release per JSA96470.
• For 21.4 deployments, plan migration to a supported, fixed train, as all 21.4 versions are affected.
• Restrict network exposure of SVR-handling interfaces to trusted peers using firewall filters and infrastructure ACLs until patching is complete.

Patch Information

Juniper has released fixed software addressing CVE-2025-30659. The authoritative source for fixed builds and upgrade guidance is the Juniper Security Advisory JSA96470. Customers should consult the advisory for platform-specific upgrade paths and any service-impacting upgrade considerations on SRX clusters.

Workarounds

• Where SVR is not in use, ensure it is not enabled in the configuration to remove the vulnerable code path from exposure.
• Apply stateless firewall filters on SRX loopback and transit interfaces to permit SVR traffic only from known, trusted endpoints.
• Segment SVR control and data plane reachability with infrastructure ACLs at upstream routers to limit reachability from untrusted networks.

# Example: restrict SVR traffic to trusted peers on Junos (illustrative)
set firewall family inet filter PROTECT-SVR term allow-trusted from source-address <trusted-peer>/32
set firewall family inet filter PROTECT-SVR term allow-trusted then accept
set firewall family inet filter PROTECT-SVR term default then discard
set interfaces <svr-interface> unit 0 family inet filter input PROTECT-SVR