CVE-2025-30659 Overview
CVE-2025-30659 is an Improper Handling of Length Parameter Inconsistency vulnerability [CWE-130] in the Packet Forwarding Engine (PFE) of Juniper Networks Junos OS on SRX Series firewalls. An unauthenticated, network-based attacker can trigger a Denial-of-Service (DoS) condition by sending a specifically malformed packet to a device configured for Secure Vector Routing (SVR). The malformed packet causes the PFE to crash and restart, disrupting traffic forwarding. The issue affects multiple Junos OS release trains from 21.4 through 24.2 on SRX300, SRX1500, SRX1600, SRX2300, SRX4100/4200/4300/4600/4700, and SRX5400/5600/5800 platforms.
Critical Impact
A single malformed packet sent over the network can crash the PFE on SVR-configured SRX firewalls, interrupting all traffic forwarding and enabling a sustained DoS condition.
Affected Products
- Juniper Junos OS on SRX Series — all 21.4 versions
- Juniper Junos OS on SRX Series — 22.2 versions before 22.2R3-S6, 22.4 versions before 22.4R3-S6, 23.2 versions before 23.2R2-S3
- Juniper Junos OS on SRX Series — 23.4 versions before 23.4R2-S4, 24.2 versions before 24.2R2
Discovery Timeline
- 2025-04-09 - CVE-2025-30659 published to NVD
- 2026-01-23 - Last updated in NVD database
Technical Details for CVE-2025-30659
Vulnerability Analysis
The flaw resides in the Packet Forwarding Engine, the data-plane component that processes traffic on SRX Series firewalls. When the device is configured for Secure Vector Routing (SVR), the PFE parses packet length fields without correctly validating their consistency against actual packet contents. A specifically malformed packet triggers this inconsistency and causes the PFE process to crash. The PFE then restarts, but during this interval the firewall stops forwarding traffic. Repeated injection of the malformed packet produces a sustained outage.
Root Cause
The root cause is improper handling of length parameter inconsistency [CWE-130]. The PFE trusts a length value embedded in incoming SVR-related packet structures and uses it to drive subsequent parsing or memory operations without reconciling it against the true byte count available in the packet buffer. The resulting inconsistency leads to an unrecoverable fault that terminates the PFE.
Attack Vector
The attack is network-based and requires no authentication or user interaction. An attacker must be able to deliver the crafted packet to an interface on an SRX device that has SVR enabled. Devices not configured for SVR, and Junos OS releases prior to 21.4, are not affected. Because the impact is confined to availability of the data plane, the vulnerability does not enable code execution or data disclosure.
No public proof-of-concept exploit code is available, and the issue is not listed in the CISA Known Exploited Vulnerabilities catalog at the time of writing. See the Juniper Security Advisory JSA96470 for vendor technical details.
Detection Methods for CVE-2025-30659
Indicators of Compromise
- Unexpected PFE process crashes or restarts on SRX Series firewalls running an affected Junos OS release with SVR enabled.
- Core files generated by the PFE following receipt of unusual or malformed traffic on SVR-enabled interfaces.
- Brief, recurring data-plane outages correlated with inbound traffic from untrusted sources.
Detection Strategies
- Monitor Junos syslog for messages indicating PFE daemon termination, watchdog timeouts, or fpc restarts on SVR-configured devices.
- Correlate firewall control-plane alerts with traffic captures on SVR ingress interfaces to identify the triggering packet pattern.
- Track SNMP availability counters and BGP/OSPF adjacency flaps that coincide with PFE restarts as secondary signals of exploitation attempts.
Monitoring Recommendations
- Forward Junos OS syslog and chassis events to a central logging or SIEM platform and alert on repeated PFE crashes.
- Establish a baseline of normal SVR control traffic so anomalous packet sizes or malformed framing can be flagged.
- Review NetFlow or sFlow telemetry for short-lived spikes from single sources that precede PFE restart events.
How to Mitigate CVE-2025-30659
Immediate Actions Required
- Inventory all SRX Series devices and identify those running Junos OS 21.4 through 24.2 with Secure Vector Routing configured.
- Upgrade affected systems to a fixed release: 22.2R3-S6, 22.4R3-S6, 23.2R2-S3, 23.4R2-S4, 24.2R2, or later. Note that all 21.4 versions are affected and require migration to a fixed train.
- Restrict reachability of SVR-enabled interfaces to trusted peers using firewall filters or routing policies until patches are applied.
Patch Information
Juniper Networks has released fixed software addressing CVE-2025-30659. Refer to the Juniper Security Advisory JSA96470 for the complete list of fixed versions and download links. The advisory confirms that releases before 21.4 are not affected, and that no fix is provided within the 21.4 train — operators on 21.4 must move to a later fixed release.
Workarounds
- Disable Secure Vector Routing on SRX devices where the feature is not required, as the vulnerability only manifests on SVR-configured systems.
- Apply ingress access control lists or firewall filters to limit which sources can deliver SVR traffic to the PFE.
- Place affected devices behind upstream filtering that drops malformed packets before they reach the SRX data plane.
# Configuration example: restrict SVR-related ingress to trusted peers
set firewall family inet filter PROTECT-SVR term trusted-svr from source-address <trusted-peer>/32
set firewall family inet filter PROTECT-SVR term trusted-svr then accept
set firewall family inet filter PROTECT-SVR term default then discard
set interfaces <svr-interface> unit 0 family inet filter input PROTECT-SVR
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
