CVE-2025-62170 Overview
CVE-2025-62170 is a use-after-free vulnerability in the RODEX (mail) functionality of rAthena, an open-source cross-platform MMORPG server. The flaw resides in the map-server component and affects all versions prior to commit af2f3ba. An unauthenticated remote attacker can trigger the vulnerability over the network to crash the map-server, resulting in denial of service for connected game clients. The issue is tracked under [CWE-416: Use After Free] and has been patched upstream in commit af2f3ba33fc03dc6dd510f8cfe84cd9185af748d.
Critical Impact
Unauthenticated network attackers can crash the rAthena map-server, taking the entire game world offline and disrupting all connected players.
Affected Products
- rAthena map-server versions prior to commit af2f3ba
- rAthena RODEX (mail system) functionality in src/map/clif.cpp
- All deployments running rAthena MMORPG server before the patched commit
Discovery Timeline
- 2025-10-13 - CVE-2025-62170 published to NVD
- 2025-10-13 - Patch released via commit af2f3ba and GitHub Security Advisory GHSA-9mj9-8vgv-r92j
- 2025-10-20 - Last updated in NVD database
Technical Details for CVE-2025-62170
Vulnerability Analysis
The vulnerability is a use-after-free condition in the RODEX mail-handling logic of rAthena's map-server. When the server calculates the total weight of items attached to a mail message, it dereferences entries in the sd->inventory_data array without validating the inventory index or confirming that the pointer is non-null. An attacker who manipulates RODEX mail interactions can cause the server to access freed or invalid item_data memory, dereferencing an invalid pointer and crashing the process. Because the attack targets unauthenticated network-reachable code paths in the map-server, exploitation only requires the ability to send crafted packets to the service.
Root Cause
The root cause is missing bounds and null-pointer validation on sd->mail.item[i].index and sd->inventory_data[...] inside the RODEX weight calculation. The original code assumed the inventory entry was always valid, allowing a stale or out-of-range index to dereference freed memory.
Attack Vector
The attack vector is network-based and unauthenticated against the map-server's RODEX packet handlers. A remote attacker triggers a specific RODEX interaction scenario that causes the map-server to evaluate a mail item with an invalid or freed inventory reference, crashing the server and producing a denial-of-service condition.
// Patch from commit af2f3ba in src/map/clif.cpp
// Fixed a possible crash with RODEX
break;
}
- total += sd->mail.item[i].amount * ( sd->inventory_data[sd->mail.item[i].index]->weight / 10 );
+ if( sd->mail.item[i].index < 0 || sd->mail.item[i].index >= MAX_INVENTORY ){
+ continue;
+ }
+
+ item_data* id = sd->inventory_data[sd->mail.item[i].index];
+
+ if( id == nullptr ){
+ continue;
+ }
+
+ total += sd->mail.item[i].amount * ( id->weight / 10 );
}
p.weight = total;
// Source: https://github.com/rathena/rathena/commit/af2f3ba33fc03dc6dd510f8cfe84cd9185af748d
The patch adds two guards: a bounds check against MAX_INVENTORY and a null check on the resulting item_data* pointer. Either condition now causes the loop iteration to continue rather than dereference invalid memory.
Detection Methods for CVE-2025-62170
Indicators of Compromise
- Unexpected crashes or restarts of the rAthena map-server process, especially correlated with client RODEX (mail) activity
- Core dumps or segmentation faults referencing clif.cpp weight-calculation code paths
- Abnormal volumes of inbound RODEX-related packets from a single source IP prior to a crash
Detection Strategies
- Monitor the running rAthena commit hash and flag any deployment running a commit earlier than af2f3ba33fc03dc6dd510f8cfe84cd9185af748d
- Review server logs and process supervisor events for repeated unplanned map-server terminations
- Capture network traces of RODEX packet flows during crash windows for offline analysis
Monitoring Recommendations
- Alert on map-server process exits or restarts outside of scheduled maintenance windows
- Track per-source-IP RODEX request rates to identify abusive clients targeting mail functionality
- Enable crash reporting and retain core dumps for forensic correlation with GHSA-9mj9-8vgv-r92j
How to Mitigate CVE-2025-62170
Immediate Actions Required
- Update the rAthena source tree to a revision that includes commit af2f3ba33fc03dc6dd510f8cfe84cd9185af748d and rebuild the map-server
- Restart all map-server instances after applying the patch to ensure the vulnerable code path is no longer loaded
- Restrict map-server network exposure to trusted networks where operationally feasible
Patch Information
The maintainers fixed the issue in commit af2f3ba, which adds inventory-index bounds checking and a null-pointer check on item_data* before dereferencing it during RODEX weight calculation. Full details are in the rAthena GitHub Security Advisory GHSA-9mj9-8vgv-r92j.
Workarounds
- There are no official workarounds other than manually applying the patch from commit af2f3ba
- Operators unable to update immediately should monitor map-server availability closely and prepare automated restart tooling
- Consider temporarily disabling RODEX-related features in server configuration if upstream patching is delayed
# Pull the patched rAthena source and rebuild the map-server
git fetch origin
git checkout master
git pull origin master
git log --oneline | grep af2f3ba
# Rebuild from a clean state
make clean
make server
# Restart the map-server process
./map-server
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
