CVE-2025-62599 Overview
CVE-2025-62599 is an Integer Overflow vulnerability affecting Fast DDS, a C++ implementation of the Data Distribution Service (DDS) standard by the Object Management Group (OMG). When security mode is enabled, attackers can exploit this flaw by modifying the DATA Submessage within an SPDP (Simple Participant Discovery Protocol) packet sent by a publisher, causing an Out-Of-Memory (OOM) condition that results in remote termination of Fast-DDS processes.
The vulnerability specifically occurs when the PID_IDENTITY_TOKEN or PID_PERMISSION_TOKEN fields in the DATA Submessage are tampered with, particularly by manipulating the length field in readPropertySeq. This manipulation triggers an integer overflow during the resize operation, leading to memory exhaustion and denial of service.
Critical Impact
Remote attackers can crash Fast DDS instances by sending specially crafted SPDP packets, causing denial of service in distributed systems relying on DDS communication.
Affected Products
- Fast DDS versions prior to 3.4.1
- Fast DDS versions prior to 3.3.1
- Fast DDS versions prior to 2.6.11
Discovery Timeline
- 2026-02-03 - CVE CVE-2025-62599 published to NVD
- 2026-02-04 - Last updated in NVD database
Technical Details for CVE-2025-62599
Vulnerability Analysis
This vulnerability represents a classic integer overflow condition in the Fast DDS implementation's handling of SPDP (Simple Participant Discovery Protocol) packets. The flaw resides in the readPropertySeq function, which processes property sequences within security tokens during participant discovery.
When Fast DDS operates in security mode, it processes authentication and permission tokens (PID_IDENTITY_TOKEN and PID_PERMISSION_TOKEN) contained within DATA Submessages. The vulnerability is triggered when an attacker crafts a malicious SPDP packet with a manipulated length field that causes an integer overflow during memory allocation calculations.
The integer overflow occurs during the resize operation, where the manipulated length value wraps around, potentially causing the system to attempt allocating an unexpectedly large amount of memory. This results in an Out-Of-Memory condition that terminates the Fast DDS process, effectively denying service to all participants relying on that node.
The vulnerability is classified under CWE-125 (Out-of-bounds Read), indicating that the integer overflow can also lead to memory access issues beyond the allocated buffer boundaries.
Root Cause
The root cause of this vulnerability is insufficient validation of the length field in the readPropertySeq function before performing memory allocation operations. When processing security token properties from SPDP packets, the code fails to properly validate that the provided length value will not cause an integer overflow when used in subsequent memory calculations.
Specifically, the vulnerability stems from:
- Lack of bounds checking on the length field extracted from incoming SPDP packets
- Insufficient validation before calling resize operations on internal data structures
- Missing integer overflow detection during memory allocation size calculations
Attack Vector
The attack is network-based and can be executed by any attacker capable of sending UDP packets to the DDS participant's discovery port. The exploitation process involves:
- Reconnaissance: The attacker identifies Fast DDS instances operating in security mode on the network
- Packet Crafting: A malicious SPDP packet is constructed with a tampered DATA Submessage containing a specially crafted length field in PID_IDENTITY_TOKEN or PID_PERMISSION_TOKEN
- Transmission: The crafted packet is sent to the target's SPDP discovery port
- Exploitation: The victim's Fast DDS instance processes the packet, triggering the integer overflow during readPropertySeq execution
- Impact: The resulting OOM condition causes the Fast DDS process to terminate, disrupting DDS communication
The attack requires the target to be operating in security mode but does not require authentication or any special privileges to execute.
Detection Methods for CVE-2025-62599
Indicators of Compromise
- Unexpected termination or crashes of Fast DDS processes with out-of-memory errors
- Abnormally large memory allocation attempts in DDS-related processes
- Unusual SPDP packets with malformed or excessively large length fields in security tokens
- Repeated DDS participant discovery failures following process terminations
Detection Strategies
- Monitor Fast DDS processes for unexpected terminations and OOM kill events in system logs
- Implement network monitoring to detect malformed SPDP packets with suspicious length values in security token fields
- Deploy intrusion detection rules to identify anomalous DDS discovery traffic patterns
- Enable application-level logging to capture readPropertySeq parsing errors and memory allocation failures
Monitoring Recommendations
- Configure system resource monitoring to alert on sudden memory consumption spikes in Fast DDS processes
- Implement process health monitoring with automatic restart capabilities for critical DDS nodes
- Set up network traffic analysis to baseline normal SPDP packet characteristics and alert on deviations
- Enable core dump collection for Fast DDS processes to facilitate post-incident analysis
How to Mitigate CVE-2025-62599
Immediate Actions Required
- Upgrade Fast DDS to patched versions: 3.4.1, 3.3.1, or 2.6.11 depending on your current version branch
- Review network segmentation to limit exposure of DDS discovery ports to untrusted networks
- Implement process monitoring and automatic restart mechanisms for critical Fast DDS instances
- Consider temporarily disabling security mode if the service disruption risk outweighs the security benefits in your environment
Patch Information
eProsima has released security patches addressing this vulnerability in Fast DDS versions 3.4.1, 3.3.1, and 2.6.11. The fixes implement proper validation of length fields in the readPropertySeq function to prevent integer overflow conditions.
The patches are available through the following commits:
Additional tracking information is available at the Debian CVE Tracker Entry.
Workarounds
- Implement network access controls to restrict SPDP traffic to trusted participants only
- Deploy DDS communication over VPN or other secured network tunnels to prevent packet injection from untrusted sources
- Configure resource limits (ulimit, cgroups) for Fast DDS processes to contain the impact of memory exhaustion attacks
- Implement load balancing with multiple DDS participants to maintain service availability during individual node failures
# Example: Restrict memory usage for Fast DDS processes using systemd
# Add to the Fast DDS service unit file
[Service]
MemoryMax=2G
MemoryHigh=1.5G
Restart=always
RestartSec=5
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
