CVE-2025-58750 Overview
CVE-2025-58750 is a critical out-of-bounds read/write vulnerability affecting rAthena, an open-source cross-platform massively multiplayer online role playing game (MMORPG) server. The vulnerability exists in the chclif_parse_moveCharSlot function where a missing bounds check allows attackers to read and write out of bounds using user-controlled input. This flaw can be exploited remotely without authentication, potentially compromising server integrity and exposing sensitive character data.
Critical Impact
Remote unauthenticated attackers can exploit this vulnerability to read and write arbitrary memory locations, potentially leading to information disclosure, data corruption, or server compromise.
Affected Products
- rAthena versions prior to commit 0cc348b
- All rAthena server deployments running vulnerable character selection code
- MMORPG server instances using the affected chclif_parse_moveCharSlot function
Discovery Timeline
- 2025-09-09 - CVE CVE-2025-58750 published to NVD
- 2025-09-17 - Last updated in NVD database
Technical Details for CVE-2025-58750
Vulnerability Analysis
This vulnerability stems from improper input validation in the character slot movement functionality of rAthena's character server. The chclif_parse_moveCharSlot function processes client requests to move characters between slots but failed to validate that the from and to slot indices were within acceptable bounds before accessing the sd->found_char and sd->char_moves arrays.
The vulnerability is classified under CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) and CWE-125 (Out-of-bounds Read). The network-accessible nature of this flaw means attackers can craft malicious packets from anywhere on the network to trigger the vulnerability without any prior authentication.
Root Cause
The root cause is a missing bounds validation check against MAX_CHARS for both the from and to parameters in the chclif_parse_moveCharSlot function. Without this check, user-supplied values could exceed the allocated array sizes, allowing memory operations outside the intended buffer boundaries.
Attack Vector
An attacker can exploit this vulnerability by sending specially crafted network packets to the rAthena character server. By manipulating the character slot movement request with out-of-bounds slot indices, the attacker can:
- Read beyond array boundaries - Access memory contents outside the intended character data structures
- Write to unintended memory locations - Potentially corrupt adjacent memory structures or overwrite critical server data
- Bypass authentication mechanisms - As the vulnerability exists in the character selection phase, no game-level authentication is required
The attack can be executed remotely over the network with no user interaction required.
// Security patch in src/char/char_clif.cpp - Added a missing bounds check
// Source: https://github.com/rathena/rathena/commit/0cc348b186bbcc3c604c17c39589a319f27d469b
//Cnt = RFIFOW(fd,6); //how many time we have left to change (client.. lol we don't trust him)
RFIFOSKIP(fd,8);
- // Have we changed to often or is it disabled?
+ // Bounds check
+ if( from >= MAX_CHARS ){
+ chclif_moveCharSlotReply( fd, sd, from, 1 );
+ return 1;
+ }
+
+ // Have we changed too often or is it disabled?
if( (charserv_config.charmove_config.char_move_enabled)==0
|| ( (charserv_config.charmove_config.char_moves_unlimited)==0 && sd->char_moves[from] <= 0 ) ){
chclif_moveCharSlotReply( fd, sd, from, 1 );
return 1;
}
- // We don't even have a character on the chosen slot?
- if( sd->found_char[from] <= 0 || to >= sd->char_slots ){
+ // Check if there is a character on this slot
+ if( sd->found_char[from] <= 0 ){
+ chclif_moveCharSlotReply( fd, sd, from, 1 );
+ return 1;
+ }
+
+ // Bounds check
+ if( to >= MAX_CHARS ){
+ chclif_moveCharSlotReply( fd, sd, from, 1 );
+ return 1;
+ }
Detection Methods for CVE-2025-58750
Indicators of Compromise
- Unusual character slot movement requests with slot indices exceeding normal character slot limits
- Unexpected server crashes or memory corruption events in the character server process
- Anomalous network traffic patterns to the character server port with malformed packet structures
- Log entries showing failed character operations or unexpected error responses from chclif_moveCharSlotReply
Detection Strategies
- Monitor network traffic for character server packets containing abnormally high slot index values
- Implement intrusion detection rules to flag character movement requests where slot indices exceed MAX_CHARS
- Deploy memory protection mechanisms that can detect out-of-bounds memory access attempts
- Enable verbose logging for character server operations to capture exploitation attempts
Monitoring Recommendations
- Configure real-time alerting for character server process crashes or restarts
- Monitor memory utilization patterns on rAthena server instances for anomalies
- Review character server logs regularly for patterns of invalid slot movement attempts
- Implement network-level packet inspection for rAthena protocol anomalies
How to Mitigate CVE-2025-58750
Immediate Actions Required
- Update rAthena to commit 0cc348b or later immediately
- Review character server logs for any signs of previous exploitation attempts
- Consider temporarily disabling character slot movement functionality if immediate patching is not possible
- Implement network access controls to limit exposure of the character server
Patch Information
The rAthena development team has addressed this vulnerability in commit 0cc348b186bbcc3c604c17c39589a319f27d469b. The fix adds explicit bounds checking for both the from and to slot parameters against MAX_CHARS before any array access operations occur.
For detailed patch information, refer to the GitHub Commit Change and the GitHub Security Advisory GHSA-pjh7-jgr8-4ff6.
Workarounds
- Restrict network access to the character server port using firewall rules to trusted IP ranges only
- Deploy a reverse proxy or packet filter that validates character slot indices before forwarding to the server
- Disable the character slot movement feature entirely in the server configuration if not required
- Implement rate limiting on character server connections to slow potential exploitation attempts
# Configuration example - Restrict access to character server
# Add to firewall rules (iptables example)
iptables -A INPUT -p tcp --dport 6121 -s 10.0.0.0/8 -j ACCEPT
iptables -A INPUT -p tcp --dport 6121 -j DROP
# Alternative: Disable character movement in char_athena.conf
# char_move_enabled: no
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
