Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-61938

CVE-2025-61938: F5 BIG-IP Advanced WAF DoS Vulnerability

CVE-2025-61938 is a denial of service vulnerability in F5 BIG-IP Advanced WAF caused by URLs exceeding 1024 characters in Data Guard settings. This article covers technical details, affected versions, impact, and mitigation.

Published:

CVE-2025-61938 Overview

CVE-2025-61938 is a Denial of Service vulnerability affecting F5 BIG-IP Advanced Web Application Firewall (WAF) and Application Security Manager (ASM) products. When a security policy is configured with a URL exceeding 1024 characters in length for the Data Guard Protection Enforcement setting—whether configured manually or through the automatic Policy Builder—the bd process can terminate repeatedly. This repeated process termination results in service disruption and potential loss of security protection for backend applications.

Critical Impact

Attackers can exploit this vulnerability remotely without authentication to cause repeated crashes of the bd process, leading to denial of service conditions that disable WAF/ASM protection for critical web applications.

Affected Products

  • F5 BIG-IP Advanced Web Application Firewall (versions prior to fixes, excluding EoTS versions)
  • F5 BIG-IP Application Security Manager (versions prior to fixes, excluding EoTS versions)
  • F5 BIG-IP Advanced Web Application Firewall version 17.5.0

Discovery Timeline

  • 2025-10-15 - CVE-2025-61938 published to NVD
  • 2025-10-21 - Last updated in NVD database

Technical Details for CVE-2025-61938

Vulnerability Analysis

This vulnerability is classified under CWE-1284 (Improper Validation of Specified Quantity in Input), indicating a failure to properly validate the length of URL strings used in the Data Guard Protection Enforcement configuration. The bd (BIG-IP daemon) process fails to handle URL inputs exceeding 1024 characters, causing repeated process terminations that result in service unavailability.

The vulnerability can be triggered through network-based attack vectors without requiring authentication or user interaction. When exploited, the impact is primarily on availability—the security enforcement mechanisms become non-functional as the bd process repeatedly crashes and attempts to restart.

Root Cause

The root cause lies in improper input validation within the Data Guard Protection Enforcement feature. The system does not adequately validate or sanitize URL length parameters when they are configured either manually by administrators or automatically generated by the Policy Builder feature. When a URL string exceeding 1024 characters is processed, it causes an unhandled exception or buffer condition that leads to the bd process termination.

Attack Vector

The vulnerability is exploitable remotely over the network. An attacker could potentially craft malicious requests or configurations that result in overly long URLs being processed by the Data Guard Protection Enforcement mechanism. Since the vulnerability affects both manual configuration and the automatic Policy Builder, there are multiple potential attack surfaces:

  1. Direct manipulation of security policy configurations if an attacker gains administrative access
  2. Crafting web traffic patterns that influence the automatic Policy Builder to generate problematic URL entries
  3. Exploiting any configuration import mechanisms that could introduce malicious URL patterns

The attack does not require user interaction or prior authentication for exploitation, making it a high-severity concern for exposed BIG-IP deployments.

Detection Methods for CVE-2025-61938

Indicators of Compromise

  • Repeated bd process crash events in BIG-IP system logs
  • Unexpected restarts or service interruptions of the WAF/ASM protection services
  • Error messages related to Data Guard Protection Enforcement URL processing
  • Anomalous entries in security policies with URLs exceeding 1024 characters

Detection Strategies

  • Monitor BIG-IP system logs for repeated bd process terminations or restart events
  • Implement alerting for service availability degradation on WAF/ASM protected applications
  • Audit security policy configurations for URL entries exceeding 1024 characters in Data Guard settings
  • Review Policy Builder generated configurations for unusually long URL patterns

Monitoring Recommendations

  • Configure SNMP traps or syslog alerts for bd process state changes
  • Implement health checks that verify WAF/ASM protection is actively functioning
  • Monitor system resource utilization patterns that may indicate repeated crash/restart cycles
  • Track configuration changes to Data Guard Protection Enforcement settings

How to Mitigate CVE-2025-61938

Immediate Actions Required

  • Review all BIG-IP Advanced WAF and ASM security policies for URL configurations exceeding 1024 characters
  • Audit Policy Builder generated configurations and remove or truncate problematic URL entries
  • Apply vendor patches as soon as they become available from F5
  • Consider temporarily disabling automatic Policy Builder if it generates vulnerable configurations

Patch Information

F5 has released security guidance for this vulnerability. Administrators should consult the F5 Security Article K000156624 for specific patch information, affected version details, and upgrade guidance. Software versions that have reached End of Technical Support (EoTS) are not evaluated for this vulnerability.

Workarounds

  • Manually audit and ensure all URLs in Data Guard Protection Enforcement settings are under 1024 characters
  • Disable automatic Policy Builder features that may generate long URL configurations until patching is complete
  • Implement configuration validation scripts to prevent URLs exceeding the safe length limit
  • Consider network segmentation to limit exposure of BIG-IP management interfaces
bash
# Example: Check Data Guard URL configuration lengths in tmsh
# Review security policies for potentially problematic URL lengths
tmsh list asm policy /Common/<policy_name> data-guard
# Audit all policies for URLs that may exceed safe limits
tmsh list asm url | grep -E "name.{1024,}"

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.