Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-61974

CVE-2025-61974: F5 BIG-IP Next CNF DoS Vulnerability

CVE-2025-61974 is a denial of service vulnerability in F5 BIG-IP Next Cloud-native Network Functions caused by memory exhaustion from undisclosed SSL requests. This article covers technical details, affected systems, and mitigation.

Published:

CVE-2025-61974 Overview

CVE-2025-61974 is a Memory Leak vulnerability affecting F5 BIG-IP Next products. When a client SSL profile is configured on a virtual server, undisclosed requests can cause an increase in memory resource utilization. This vulnerability allows remote attackers to exhaust memory resources on affected systems, potentially leading to denial of service conditions.

Critical Impact

Remote attackers can trigger memory exhaustion through specially crafted requests to virtual servers with client SSL profiles, leading to service degradation or complete denial of service.

Affected Products

  • F5 BIG-IP Next Cloud-Native Network Functions
  • F5 BIG-IP Next for Kubernetes (versions 2.0.0 and 2.1.0)
  • F5 BIG-IP Next Service Proxy for Kubernetes

Discovery Timeline

  • October 15, 2025 - CVE-2025-61974 published to NVD
  • October 21, 2025 - Last updated in NVD database

Technical Details for CVE-2025-61974

Vulnerability Analysis

This vulnerability is classified under CWE-401 (Missing Release of Memory after Effective Lifetime), indicating a memory leak condition. The flaw exists in the handling of SSL/TLS connections when a client SSL profile is configured on a virtual server. When the affected component processes certain undisclosed requests, it fails to properly release allocated memory resources.

The network-accessible nature of this vulnerability means attackers can exploit it remotely without requiring any authentication or user interaction. The impact is focused on availability, as successful exploitation leads to memory exhaustion that can degrade system performance or cause service outages.

Root Cause

The root cause is a memory leak (CWE-401) in the SSL/TLS handling code within F5 BIG-IP Next products. When processing specific request patterns through virtual servers configured with client SSL profiles, the system allocates memory for request handling but fails to properly deallocate it after the request is processed. Over time or with repeated malicious requests, this leads to progressive memory consumption until system resources are exhausted.

Attack Vector

The attack vector is network-based and requires:

  1. A target F5 BIG-IP Next system with a virtual server configured with a client SSL profile
  2. Network access to the affected virtual server
  3. The ability to send crafted requests that trigger the memory leak condition

The attack does not require authentication, user interaction, or elevated privileges. An attacker can repeatedly send malicious requests to progressively consume memory resources on the target system. F5 has not disclosed the specific nature of the requests that trigger this vulnerability to prevent exploitation.

The vulnerability mechanism involves improper memory management during SSL/TLS session handling. When certain request patterns are processed by the affected components, memory allocated for connection state or request processing is not released after the connection terminates. For detailed technical information, refer to F5 Technical Article K000156733.

Detection Methods for CVE-2025-61974

Indicators of Compromise

  • Abnormal memory consumption patterns on F5 BIG-IP Next systems
  • Progressive memory growth without corresponding increase in legitimate traffic
  • System performance degradation correlating with SSL/TLS connection activity
  • Memory exhaustion alerts or out-of-memory conditions on affected virtual servers

Detection Strategies

  • Monitor memory utilization trends on systems with client SSL profiles configured
  • Implement baseline monitoring for normal memory patterns and alert on deviations
  • Review SSL/TLS connection logs for unusual request patterns or high connection rates
  • Deploy network-level anomaly detection for traffic to virtual servers with SSL profiles

Monitoring Recommendations

  • Configure alerting thresholds for memory utilization on affected F5 BIG-IP Next components
  • Implement continuous monitoring of system resource metrics via SNMP or management APIs
  • Enable detailed logging for SSL/TLS connections to assist in forensic analysis
  • Establish baseline performance metrics to identify abnormal resource consumption

How to Mitigate CVE-2025-61974

Immediate Actions Required

  • Review F5 security advisory K000156733 for affected version details
  • Inventory all F5 BIG-IP Next systems with client SSL profiles configured on virtual servers
  • Apply vendor-provided patches or upgrade to fixed versions as specified in the advisory
  • Implement additional network-level controls to restrict access to management interfaces

Patch Information

F5 has published detailed remediation guidance in their security advisory. Administrators should consult F5 Technical Article K000156733 for specific fixed version information and upgrade procedures. Note that software versions which have reached End of Technical Support (EoTS) are not evaluated by F5 for this vulnerability.

Workarounds

  • Consider implementing rate limiting on virtual servers with SSL profiles to slow potential exploitation
  • Restrict network access to affected virtual servers using firewall rules where possible
  • Configure memory utilization alerts to enable rapid response to potential exploitation attempts
  • Schedule regular service restarts during maintenance windows to reclaim leaked memory if patching is delayed
bash
# Example: Check memory utilization on F5 BIG-IP Next systems
# Consult F5 documentation for specific commands applicable to your deployment
# Monitor memory trends and establish baselines for anomaly detection

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.