CVE-2025-59959 Overview
An Untrusted Pointer Dereference vulnerability (CWE-822) has been identified in the routing protocol daemon (rpd) of Juniper Networks Junos OS and Junos OS Evolved. This vulnerability allows a local, authenticated attacker with low privileges to cause a Denial-of-Service (DoS) condition by crashing and restarting the rpd process.
The vulnerability is triggered when executing the command show route < ( receive-protocol | advertising-protocol ) bgp > detail while at least one of the routes in the intended output has specific attributes. Notably, the show route ... extensive command variant is not affected by this issue.
Critical Impact
Local authenticated attackers can repeatedly crash the routing protocol daemon, disrupting network routing operations and potentially causing widespread service availability issues across the network infrastructure.
Affected Products
- Junos OS: All versions before 22.4R3-S8
- Junos OS: 23.2 versions before 23.2R2-S5
- Junos OS: 23.4 versions before 23.4R2-S5
- Junos OS: 24.2 versions before 24.2R2-S2
- Junos OS: 24.4 versions before 24.4R2
- Junos OS Evolved: All versions before 22.4R3-S8-EVO
- Junos OS Evolved: 23.2 versions before 23.2R2-S5-EVO
- Junos OS Evolved: 23.4 versions before 23.4R2-S6-EVO
- Junos OS Evolved: 24.2 versions before 24.2R2-S2-EVO
- Junos OS Evolved: 24.4 versions before 24.4R2-EVO
Discovery Timeline
- 2026-01-15 - CVE CVE-2025-59959 published to NVD
- 2026-01-16 - Last updated in NVD database
Technical Details for CVE-2025-59959
Vulnerability Analysis
This vulnerability stems from improper handling of pointers within the routing protocol daemon (rpd) when processing certain BGP route display commands. The rpd is a critical component responsible for managing routing protocols including BGP, OSPF, IS-IS, and others on Juniper network devices.
When an authenticated user with CLI access executes a show route command with the receive-protocol bgp detail or advertising-protocol bgp detail parameters, the rpd process attempts to dereference a pointer that may not be properly validated. If specific route attributes are present in the output, this untrusted pointer dereference leads to memory access violations, causing the rpd process to crash and subsequently restart.
The attack requires local access and authentication, limiting the exposure to users who already have some level of access to the device's CLI. However, even low-privileged users can exploit this vulnerability, making it a significant concern in multi-tenant environments or where operator access is broadly distributed.
Root Cause
The root cause is classified as CWE-822: Untrusted Pointer Dereference. The rpd process fails to properly validate pointer values before dereferencing them during the route detail display operation. When routes contain specific attributes, the pointer handling code encounters an unexpected state, leading to dereferencing of an invalid or corrupted pointer address.
This type of vulnerability typically occurs when:
- Pointer values are derived from user-controlled input without proper validation
- Memory state changes occur between pointer assignment and dereference
- Error handling fails to account for edge cases in route attribute processing
Attack Vector
The attack requires local access to the Juniper device with valid authentication credentials. An attacker with low-privilege CLI access can exploit this vulnerability by:
- Authenticating to the Juniper device via console, SSH, or other management interfaces
- Executing the vulnerable show route command with BGP protocol display options and the detail parameter
- If routes with the triggering attributes exist in the routing table, the rpd process will crash
The vulnerability manifests specifically when processing BGP route information with certain attributes during the detail output generation. The exact attribute combination that triggers the crash is documented in the Juniper Security Advisory JSA103148.
Since the rpd process will restart after crashing, repeated exploitation can cause sustained denial of service, preventing the device from properly participating in routing protocols and potentially causing network-wide instability.
Detection Methods for CVE-2025-59959
Indicators of Compromise
- Repeated rpd process crashes visible in system logs with core dumps
- Unexpected BGP session flapping or routing protocol instability
- System log entries showing rpd restarts coinciding with show route command execution
- Increased frequency of routing convergence events across the network
Detection Strategies
- Monitor system logs for rpd crash events using syslog aggregation and alerting
- Implement command accounting to track execution of show route commands with BGP protocol parameters
- Configure SNMP traps for process restarts and routing daemon failures
- Deploy SentinelOne Singularity to detect anomalous process behavior and crash patterns on network infrastructure
Monitoring Recommendations
- Enable enhanced logging for the rpd process to capture detailed crash information
- Configure centralized log management to correlate rpd crashes with user command history
- Implement network monitoring to detect BGP session instability patterns
- Review authentication logs for unusual access patterns preceding rpd crashes
How to Mitigate CVE-2025-59959
Immediate Actions Required
- Upgrade affected Juniper devices to patched software versions as outlined in the advisory
- Review and restrict CLI access privileges to minimize the number of users who can execute diagnostic commands
- Implement role-based access controls to limit show route command availability to essential personnel only
- Monitor for exploitation attempts while preparing for patching
Patch Information
Juniper Networks has released patched versions addressing this vulnerability. Organizations should upgrade to the following minimum versions:
Junos OS:
- 22.4R3-S8 or later for all pre-22.4 versions
- 23.2R2-S5 or later for 23.2 branch
- 23.4R2-S5 or later for 23.4 branch
- 24.2R2-S2 or later for 24.2 branch
- 24.4R2 or later for 24.4 branch
Junos OS Evolved:
- 22.4R3-S8-EVO or later for all pre-22.4 versions
- 23.2R2-S5-EVO or later for 23.2 branch
- 23.4R2-S6-EVO or later for 23.4 branch
- 24.2R2-S2-EVO or later for 24.2 branch
- 24.4R2-EVO or later for 24.4 branch
For detailed upgrade instructions and software downloads, refer to the Juniper Support Portal.
Workarounds
- Restrict access to the CLI for non-essential users until patches can be applied
- Use the show route ... extensive command variant as an alternative, which is not affected by this vulnerability
- Implement access control lists or firewall rules to limit management plane access
- Consider disabling or restricting BGP route display commands through custom user class configurations
# Example: Restrict show route commands for specific user class
set system login class restricted-operator permissions view
set system login class restricted-operator deny-commands "show route .* detail"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
