CVE-2025-59147 Overview
CVE-2025-59147 is a detection bypass vulnerability affecting Suricata, a widely deployed open-source network Intrusion Detection System (IDS), Intrusion Prevention System (IPS), and Network Security Monitoring (NSM) engine developed by the Open Information Security Foundation (OISF) and the Suricata community. This vulnerability allows attackers to evade detection by sending crafted traffic containing multiple SYN packets with different sequence numbers within the same flow tuple, causing Suricata to fail to properly establish and track the TCP session.
Critical Impact
Attackers can bypass IDS detection and logging capabilities in affected Suricata deployments by exploiting improper TCP session handling, potentially allowing malicious traffic to pass undetected through network security controls.
Affected Products
- OISF Suricata versions 7.0.11 and below
- OISF Suricata version 8.0.0 (including beta1 and rc1 releases)
- OISF Suricata version 8.0.0-beta1
- OISF Suricata version 8.0.0-rc1
Discovery Timeline
- October 1, 2025 - CVE-2025-59147 published to NVD
- October 6, 2025 - Last updated in NVD database
Technical Details for CVE-2025-59147
Vulnerability Analysis
This vulnerability stems from an improperly implemented security check (CWE-358) in Suricata's TCP stream handling logic. When processing TCP connection establishment, Suricata's stream engine maintains a queue of SYN and SYN/ACK candidates to track potential TCP sessions. The flaw occurs when an attacker sends multiple SYN packets with varying sequence numbers within the same flow tuple (source IP, destination IP, source port, destination port, protocol).
Under normal circumstances, Suricata should correctly identify and track the legitimate TCP handshake regardless of additional spurious SYN packets. However, due to improper handling of these retransmission scenarios, the stream engine becomes confused about which SYN packet represents the actual session initiation, causing it to fail to properly establish the TCP session tracking state.
The behavior differs based on the deployment mode:
- IDS Mode: Detection rules fail to trigger and logging is bypassed, allowing malicious traffic to pass without alerting security teams
- IPS Mode: The flow gets blocked entirely, which could cause denial of service for legitimate traffic
Root Cause
The root cause lies in how Suricata's TCP state machine handles SYN and SYN/ACK retransmission candidates. The TcpStateQueue structure in stream-tcp-private.h was originally designed to track only SYN/ACK candidates, but failed to properly account for scenarios where multiple SYN packets with different sequence numbers arrive for the same connection tuple.
The patch updates the queue handling to properly manage both SYN and SYN/ACK candidates, improving the retransmission handling logic to maintain accurate session state even when receiving anomalous TCP handshake patterns.
Attack Vector
The attack can be executed remotely over the network without requiring any authentication or user interaction. An attacker crafts TCP traffic that includes multiple SYN packets with different sequence numbers targeting the same destination flow tuple. This confuses Suricata's TCP session tracking mechanism, causing it to lose track of the actual TCP session being established.
The attack workflow:
- Attacker initiates a connection to a target behind a Suricata deployment
- Multiple SYN packets with varying sequence numbers are sent within the same flow tuple
- Suricata's stream engine fails to properly track the TCP session
- Subsequent malicious traffic within the session bypasses detection rules
- Security events are not logged, allowing the attack to proceed undetected
uint32_t reassembly_depth; /**< reassembly depth for the stream */
TcpStream server;
TcpStream client;
- TcpStateQueue *queue; /**< list of SYN/ACK candidates */
+ TcpStateQueue *queue; /**< list of SYN or SYN/ACK candidates */
} TcpSession;
#define StreamTcpSetStreamFlagAppProtoDetectionCompleted(stream) \
Source: Suricata GitHub Commit
Detection Methods for CVE-2025-59147
Indicators of Compromise
- Multiple SYN packets with different sequence numbers observed within the same 5-tuple flow
- Anomalous TCP handshake patterns where multiple SYN packets precede SYN/ACK responses
- Unexplained gaps in Suricata detection logs despite network activity
- Inconsistencies between network traffic captures and Suricata alert logs
Detection Strategies
- Deploy packet capture at network boundaries to compare raw traffic against Suricata logs for detection gaps
- Implement secondary detection mechanisms or honeypots to identify traffic that may be bypassing Suricata
- Monitor for TCP sessions with abnormal handshake characteristics using flow analysis tools independent of Suricata
- Review Suricata stream engine statistics for unusual session establishment failure rates
Monitoring Recommendations
- Enable detailed TCP stream logging in Suricata to identify potential bypass attempts
- Cross-reference Suricata logs with firewall and router flow data to detect logging discrepancies
- Implement alerting for anomalous ratios of SYN packets to established connections
- Monitor Suricata version deployments across the organization to ensure patched versions are in use
How to Mitigate CVE-2025-59147
Immediate Actions Required
- Upgrade Suricata to version 7.0.12 or 8.0.1 immediately to address this vulnerability
- Review recent security logs for potential exploitation attempts prior to patching
- Verify that Suricata instances are properly tracking TCP sessions after the upgrade
- Consider temporarily deploying additional detection mechanisms until patching is complete
Patch Information
OISF has released patched versions that address this vulnerability by improving SYN and SYN/ACK retransmission handling in the TCP stream engine. The fix ensures proper tracking of TCP session candidates regardless of anomalous SYN packet patterns.
Fixed Versions:
- Suricata 7.0.12 - For the 7.x branch
- Suricata 8.0.1 - For the 8.x branch
Security patches are available via the official GitHub commits:
For additional details, refer to the GitHub Security Advisory and the Suricata Forum Release Announcement.
Workarounds
- Deploy complementary IDS/IPS solutions to provide defense-in-depth while awaiting patch deployment
- Implement strict network segmentation to limit potential impact of detection bypass
- Enable enhanced logging on upstream network devices to maintain visibility during the vulnerability window
- Consider running Suricata in IPS mode if detection bypass is more critical than potential flow blocking (note: this causes affected flows to be blocked rather than missed)
# Verify current Suricata version
suricata --build-info | grep -E "^Version"
# Update Suricata on Debian/Ubuntu systems
sudo apt update && sudo apt install suricata
# Restart Suricata after update
sudo systemctl restart suricata
# Verify the updated version
suricata -V
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
