CVE-2025-61104 Overview
A NULL pointer dereference vulnerability has been discovered in FRRouting (FRR), an open-source IP routing protocol suite. The vulnerability exists in the show_vty_unknown_tlv function within ospf_ext.c and affects FRRouting versions 4.0 through 10.4.1. This vulnerability allows remote attackers to cause a Denial of Service (DoS) condition by sending specially crafted OSPF (Open Shortest Path First) packets to vulnerable routing infrastructure.
Critical Impact
Remote attackers can crash FRRouting daemons without authentication, potentially disrupting network routing across enterprise and service provider environments.
Affected Products
- FRRouting versions 4.0 through 10.4.1
- Network infrastructure running affected FRR versions with OSPF enabled
- Linux-based routers and routing appliances utilizing FRRouting
Discovery Timeline
- 2025-10-28 - CVE-2025-61104 published to NVD
- 2025-10-31 - Last updated in NVD database
Technical Details for CVE-2025-61104
Vulnerability Analysis
This vulnerability stems from improper handling of OSPF Type-Length-Value (TLV) structures in the FRRouting OSPF Extended Link State Advertisement (LSA) processing code. When the show_vty_unknown_tlv function encounters a malformed or unexpected TLV structure within an OSPF packet, it fails to properly validate the pointer before dereferencing it, resulting in a NULL pointer dereference condition.
FRRouting is widely deployed in enterprise networks, data centers, and service provider environments as a replacement for proprietary routing software. The OSPF daemon (ospfd) processes incoming OSPF packets to maintain routing tables and exchange topology information with neighboring routers. Because OSPF operates at Layer 3 and is typically enabled across network boundaries, an attacker with network access to OSPF-enabled interfaces can exploit this vulnerability remotely without authentication.
The successful exploitation results in immediate process termination of the affected daemon, causing routing disruptions until the service is restarted. In environments where automatic service restart is not configured, this can lead to prolonged network outages.
Root Cause
The root cause is a missing NULL pointer check in the show_vty_unknown_tlv function located in ospf_ext.c. When processing OSPF packets containing extended TLV structures, the function assumes that certain data structures are properly initialized. A crafted OSPF packet with malformed TLV data can trigger a code path where a NULL pointer is dereferenced, causing the OSPF daemon to crash. This is classified as CWE-476 (NULL Pointer Dereference).
Attack Vector
The attack can be executed remotely over the network by an unauthenticated attacker. The attacker must be able to send OSPF packets to a vulnerable FRRouting instance. This typically requires the attacker to be on the same network segment as the target router or have the ability to inject packets into the network path. The attack does not require any user interaction and can be executed with a single malformed OSPF packet.
The vulnerability manifests in the TLV parsing logic within the OSPF Extended LSA handling code. When processing unknown or malformed TLV types, the show_vty_unknown_tlv function fails to validate pointer integrity before attempting to access TLV data. For detailed technical analysis, refer to the GitHub Issue Discussion and the vulnerability report.
Detection Methods for CVE-2025-61104
Indicators of Compromise
- Unexpected crashes or restarts of the FRRouting ospfd daemon
- Core dump files generated by ospfd with stack traces pointing to show_vty_unknown_tlv in ospf_ext.c
- OSPF neighbor relationships repeatedly dropping and re-establishing
- System logs showing segmentation faults in FRRouting processes
Detection Strategies
- Monitor FRRouting daemon stability and implement alerting for unexpected process terminations
- Analyze network traffic for anomalous OSPF packets with malformed TLV structures
- Deploy network intrusion detection systems (IDS) with signatures for malformed OSPF extended LSA packets
- Review system logs for crash reports mentioning ospf_ext.c or show_vty_unknown_tlv
Monitoring Recommendations
- Implement process health monitoring for all FRRouting daemons with automatic alerting
- Configure centralized logging to capture OSPF daemon crash events across the network infrastructure
- Monitor OSPF neighbor state changes that may indicate exploitation attempts
- Enable core dump collection and analysis for post-incident forensic review
How to Mitigate CVE-2025-61104
Immediate Actions Required
- Upgrade FRRouting to a patched version that includes the fix from commit fdd957408605d4a1766225630aafc7e6b7c3daf3
- Review and restrict network access to OSPF-enabled interfaces to trusted network segments only
- Implement OSPF authentication (MD5 or cryptographic authentication) to prevent unauthorized OSPF packet injection
- Configure automatic service restart for FRRouting daemons to minimize downtime in case of crashes
Patch Information
The FRRouting project has addressed this vulnerability through Pull Request #19480. The specific fix is available in commit fdd957408605d4a1766225630aafc7e6b7c3daf3. Organizations should upgrade to a FRRouting version that includes this fix. Check the official FRRouting releases for the latest patched version.
Workarounds
- Implement OSPF authentication to prevent unauthenticated attackers from sending crafted OSPF packets
- Deploy network access control lists (ACLs) to restrict OSPF traffic to known, trusted routing peers
- Isolate routing infrastructure on dedicated management networks where possible
- Configure process supervisors to automatically restart crashed FRRouting daemons to minimize service disruption
# Enable OSPF MD5 authentication on interfaces
vtysh -c "configure terminal" -c "interface eth0" -c "ip ospf authentication message-digest" -c "ip ospf message-digest-key 1 md5 YOUR_SECRET_KEY"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
