CVE-2025-59959 Overview
CVE-2025-59959 is an Untrusted Pointer Dereference vulnerability [CWE-822] in the routing protocol daemon (rpd) of Juniper Networks Junos OS and Junos OS Evolved. A local, authenticated attacker with low privileges can crash rpd by executing a specific BGP route inspection command. The crash occurs when show route < ( receive-protocol | advertising-protocol ) bgp > detail is run against routes containing certain attributes. The daemon restarts after the crash, producing a Denial-of-Service condition on the routing control plane. The equivalent show route ... extensive form is not affected.
Critical Impact
Any authenticated operator able to run BGP route inspection commands can repeatedly crash the routing protocol daemon, disrupting route processing on affected Juniper devices.
Affected Products
- Juniper Junos OS: all versions before 22.4R3-S8, 23.2 before 23.2R2-S5, 23.4 before 23.4R2-S5, 24.2 before 24.2R2-S2, 24.4 before 24.4R2
- Juniper Junos OS Evolved: all versions before 22.4R3-S8-EVO, 23.2 before 23.2R2-S5-EVO, 23.4 before 23.4R2-S6-EVO, 24.2 before 24.2R2-S2-EVO, 24.4 before 24.4R2-EVO
- Routing platforms running rpd with BGP receive or advertise sessions configured
Discovery Timeline
- 2026-01-15 - CVE-2025-59959 published to NVD
- 2026-01-23 - Last updated in NVD database
Technical Details for CVE-2025-59959
Vulnerability Analysis
The flaw resides in the routing protocol daemon (rpd), the user-space process responsible for BGP, OSPF, IS-IS, and other routing protocol state on Junos platforms. When an operator issues show route receive-protocol bgp <neighbor> detail or show route advertising-protocol bgp <neighbor> detail, rpd formats per-route output and dereferences pointers associated with specific BGP path attributes. Under certain attribute combinations, an untrusted or unvalidated pointer is followed, leading to a process crash. Because rpd owns the routing information base, its restart forces re-establishment of routing adjacencies and reconvergence on the affected device.
Root Cause
The root cause is improper validation of an internal pointer during detailed BGP route formatting [CWE-822]. The detail output path reads attribute data without verifying that the referenced memory is the expected structure. The extensive variant uses a separate code path that performs the access safely, which is why it does not trigger the crash.
Attack Vector
Exploitation requires local CLI access with low privileges on the device. The attacker does not need root or configuration privileges, only the ability to execute show route commands. Triggering the bug also depends on at least one route in the relevant BGP session carrying the specific attribute combination, an externally influenced condition controlled by upstream BGP peers. Repeated execution produces a sustained DoS on the routing control plane.
No public proof-of-concept code is available, and exploitation requires authenticated CLI access. See the Juniper Security Advisory JSA103148 for vendor-confirmed technical details.
Detection Methods for CVE-2025-59959
Indicators of Compromise
- Unexpected rpd core files in /var/crash/ or /var/tmp/ with timestamps correlating to operator show route activity
- Syslog entries indicating RPD_TASK_REINIT, rpd[<pid>]: ... signal 11, or routing protocol session flaps following CLI command execution
- Repeated BGP neighbor state transitions (Established → Idle → Established) without underlying network change
Detection Strategies
- Correlate rpd process restarts in syslog with CLI command audit records from cli-commands accounting logs to identify the originating user and command
- Alert on any rpd core file generation, as legitimate operations should not crash the daemon
- Monitor TACACS+ or RADIUS command accounting for execution of show route receive-protocol bgp ... detail or show route advertising-protocol bgp ... detail followed by routing instability
Monitoring Recommendations
- Forward Junos syslog and command accounting to a centralized SIEM or data lake for correlation across the routing fleet
- Track BGP session uptime and route table size deltas to surface anomalous reconvergence events
- Review request system core-dumps output regularly to capture crash artifacts before automatic cleanup
How to Mitigate CVE-2025-59959
Immediate Actions Required
- Upgrade affected devices to a fixed Junos OS or Junos OS Evolved release listed in JSA103148
- Restrict CLI access to trusted operators only and remove low-privilege accounts that do not require show route capability
- Audit recent command accounting logs for execution of the vulnerable show route ... detail forms against BGP
Patch Information
Juniper has released fixed versions in Junos OS 22.4R3-S8, 23.2R2-S5, 23.4R2-S5, 24.2R2-S2, 24.4R2, and corresponding Junos OS Evolved builds 22.4R3-S8-EVO, 23.2R2-S5-EVO, 23.4R2-S6-EVO, 24.2R2-S2-EVO, and 24.4R2-EVO. Refer to the Juniper Security Advisory JSA103148 and the Juniper Support Portal for upgrade packages.
Workarounds
- Use show route receive-protocol bgp <neighbor> extensive or show route advertising-protocol bgp <neighbor> extensive instead of the detail form, as the extensive variant is not affected
- Apply Junos login classes to restrict the show route command from accounts that do not need it
- Limit CLI access using allow-commands and deny-commands regular expressions in user class configuration
# Example Junos login class restricting the vulnerable command form
set system login class restricted-ops permissions view
set system login class restricted-ops deny-commands "show route (receive-protocol|advertising-protocol) bgp .* detail"
set system login user operator1 class restricted-ops
commit
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
