CVE-2025-54858 Overview
CVE-2025-54858 is a high-severity Denial of Service vulnerability affecting F5 BIG-IP Advanced Web Application Firewall (WAF) and BIG-IP Application Security Manager (ASM). When a security policy is configured with a JSON content profile containing a malformed JSON schema and applied to a virtual server, specially crafted requests can cause the bd (blocking daemon) process to terminate unexpectedly.
This vulnerability arises from improper handling of malformed JSON schema configurations (CWE-674: Uncontrolled Recursion), where the security enforcement daemon fails to properly validate or process certain request patterns when operating with an invalid schema definition. The termination of the bd process can result in temporary loss of security policy enforcement and potential service disruption.
Critical Impact
Attackers can exploit this vulnerability remotely without authentication to crash the BIG-IP security enforcement process, potentially bypassing WAF protections and causing service disruption for protected applications.
Affected Products
- F5 BIG-IP Advanced Web Application Firewall
- F5 BIG-IP Application Security Manager
- Virtual servers with JSON content profiles containing malformed JSON schemas
Discovery Timeline
- October 15, 2025 - CVE-2025-54858 published to NVD
- October 21, 2025 - Last updated in NVD database
Technical Details for CVE-2025-54858
Vulnerability Analysis
This vulnerability is classified under CWE-674 (Uncontrolled Recursion), indicating that the root cause involves improper handling of recursive or deeply nested structures within JSON schema processing. When the BIG-IP security policy enforcement daemon (bd process) encounters requests that interact with a malformed JSON schema configuration, it enters an uncontrolled state that leads to process termination.
The vulnerability specifically manifests when:
- A JSON content profile is configured within a BIG-IP ASM or Advanced WAF security policy
- The JSON schema definition within that profile is malformed or contains invalid structures
- The security policy is actively applied to a virtual server
- Undisclosed request patterns are sent to the protected virtual server
The bd process is critical to BIG-IP's security enforcement capabilities, handling real-time traffic inspection and policy enforcement. When this process terminates, there may be a gap in security coverage until the process restarts.
Root Cause
The vulnerability stems from uncontrolled recursion (CWE-674) in the JSON schema processing logic within the BIG-IP security policy enforcement daemon. When a malformed JSON schema is present in the configuration, the schema validation or request parsing routines may enter an infinite or excessively deep recursion state when processing certain request patterns, ultimately causing stack exhaustion and process termination.
The issue specifically occurs because the bd process does not adequately validate the integrity of JSON schema configurations before using them for request inspection, nor does it implement proper recursion depth limits when processing requests against malformed schemas.
Attack Vector
The attack is network-accessible and requires no authentication or user interaction. An attacker can exploit this vulnerability by:
- Identifying a BIG-IP virtual server with an ASM or Advanced WAF policy that uses a JSON content profile
- Sending specially crafted HTTP requests designed to trigger the malformed schema processing path
- The bd process encounters the malformed schema during request inspection and enters an uncontrolled state
- Process termination occurs, disrupting security policy enforcement
The specific request patterns that trigger this condition have not been publicly disclosed by F5 to prevent exploitation. However, organizations with JSON content profiles containing improperly formatted schemas are at risk.
Detection Methods for CVE-2025-54858
Indicators of Compromise
- Unexpected bd process crashes or restarts in BIG-IP logs
- Repeated core dumps or error messages related to JSON schema processing
- Temporary gaps in WAF/ASM policy enforcement with corresponding log entries
- Increased restart counts for the bd daemon in system monitoring
Detection Strategies
- Monitor BIG-IP system logs for bd process termination events using log analysis tools
- Configure SNMP traps or syslog alerts for daemon restart events on BIG-IP devices
- Review JSON content profiles in ASM/Advanced WAF policies for schema validation errors
- Implement health monitoring that tracks security enforcement process status
Monitoring Recommendations
- Enable detailed logging for ASM/Advanced WAF policy enforcement events
- Set up automated alerts for any bd process crashes or unexpected restarts
- Monitor traffic patterns for unusual request volumes targeting JSON-enabled virtual servers
- Regularly audit JSON schema configurations for validity and proper formatting
How to Mitigate CVE-2025-54858
Immediate Actions Required
- Review all JSON content profiles in active security policies for malformed schema definitions
- Validate JSON schemas using external JSON schema validators before deployment
- Monitor BIG-IP systems for signs of bd process instability or crashes
- Consider temporarily removing or correcting any malformed JSON schemas until patches are applied
Patch Information
F5 has released security guidance for this vulnerability. Organizations should consult the F5 Knowledge Base Article K000156621 for specific patch versions and upgrade instructions. Note that software versions which have reached End of Technical Support (EoTS) are not evaluated for this vulnerability.
Administrators should:
- Identify current BIG-IP software versions using tmsh show sys version
- Review the F5 advisory for applicable fixed versions
- Plan and execute upgrades following F5's recommended upgrade procedures
- Validate security policy functionality after patching
Workarounds
- Audit and correct any malformed JSON schemas in content profiles before applying to production policies
- Implement external JSON schema validation as part of the security policy deployment workflow
- Consider removing JSON content profiles temporarily if they are not essential to security requirements
- Enable BIG-IP daemon process monitoring with automatic alerting on crashes
# Configuration example
# Check current bd process status
tmctl -a bd status
# Review JSON profiles in ASM policy (via tmsh)
tmsh list asm policy /Common/<policy_name> json-profile
# Monitor bd process restarts in logs
tail -f /var/log/ltm | grep -i "bd.*restart\|bd.*terminated"
# Validate JSON schema externally before deployment
# Use tools like ajv-cli or jsonschema to validate schemas
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
