CVE-2025-62602 Overview
CVE-2025-62602 is a heap buffer overflow vulnerability affecting eProsima Fast DDS, a C++ implementation of the Data Distribution Service (DDS) standard from the Object Management Group (OMG). When security mode is enabled, an attacker can modify DATA Submessage fields within an SPDP (Simple Participant Discovery Protocol) packet to trigger a heap buffer overflow, resulting in remote termination of the Fast DDS process. The vulnerability specifically involves tampering with PID_IDENTITY_TOKEN or PID_PERMISSIONS_TOKEN fields where the readOctetVector function reads an unchecked vecsize value that propagates to readData as an unvalidated length parameter.
Critical Impact
Remote attackers can trigger a 32-bit integer overflow leading to out-of-memory conditions and denial of service, causing remote process termination of Fast DDS applications with security mode enabled.
Affected Products
- eProsima Fast DDS versions prior to 3.4.1
- eProsima Fast DDS versions prior to 3.3.1
- eProsima Fast DDS versions prior to 2.6.11
Discovery Timeline
- 2026-02-03 - CVE-2025-62602 published to NVD
- 2026-02-04 - Last updated in NVD database
Technical Details for CVE-2025-62602
Vulnerability Analysis
The vulnerability resides in the CDRMessage processing logic within Fast DDS when handling SPDP discovery packets with security features enabled. When parsing parameter lists in the DATA Submessage, the readOctetVector function accepts a vecsize value directly from the network packet without proper bounds validation. This attacker-controlled value is then passed unchanged to readData as the length parameter.
The core issue is a 32-bit integer overflow that occurs during length calculations. When processing parameters like PID_IDENTITY_TOKEN or PID_PERMISSIONS_TOKEN, the code performs alignment calculations using the pattern (plength + 3) & ~3 to align to 4-byte boundaries. Without proper validation, an attacker-supplied plength value near the 32-bit integer maximum can cause this calculation to wrap around, leading to incorrect memory allocation sizes.
The resulting behavior manifests as either an allocation of a much smaller buffer than expected (leading to heap buffer overflow when data is written) or an attempt to allocate an extremely large buffer that causes out-of-memory conditions. Both scenarios result in process termination, enabling remote denial of service.
Root Cause
The root cause is improper input validation (CWE-122: Heap-based Buffer Overflow) in the CDRMessage parsing routines. The vecsize parameter read from network data is not validated against available message data bounds before being used for memory operations. Additionally, the parameter list iteration logic performs arithmetic operations on untrusted length values without checking for integer overflow conditions.
Attack Vector
The attack is network-based and can be executed remotely against any Fast DDS participant with security mode enabled. An attacker crafts a malicious SPDP discovery packet with tampered PID_IDENTITY_TOKEN or PID_PERMISSIONS_TOKEN parameter values. The specially crafted vecsize field triggers the integer overflow during message processing, leading to either heap corruption or OOM-induced crash. No authentication is required to send discovery packets, making this vulnerability exploitable by any network-adjacent attacker.
// Vulnerable pattern in ParameterList.cpp - before patch
// Source: https://github.com/eProsima/Fast-DDS/commit/a726e6a5daba660418d1f7c05b6f203c17747d2b
while (msg.pos < msg.length)
{
valid = true;
- valid &= rtps::CDRMessage::readUInt16(&msg, &pid);
- valid &= rtps::CDRMessage::readUInt16(&msg, &plength);
+ valid = valid && rtps::CDRMessage::readUInt16(&msg, &pid);
+ valid = valid && rtps::CDRMessage::readUInt16(&msg, &plength);
if (!valid || (pid == PID_SENTINEL))
{
break;
}
if (pid == search_pid)
{
- valid &= rtps::CDRMessage::readData(&msg, guid.guidPrefix.value,
+ valid = valid && rtps::CDRMessage::readData(&msg, guid.guidPrefix.value,
rtps::GuidPrefix_t::size);
- valid &= rtps::CDRMessage::readData(&msg, guid.entityId.value, rtps::EntityId_t::size);
+ valid = valid && rtps::CDRMessage::readData(&msg, guid.entityId.value, rtps::EntityId_t::size);
return valid;
}
- msg.pos += (plength + 3) & ~3;
+ uint64_t aligned_length = (static_cast<uint64_t>(plength) + 3u) & ~3u;
+ uint64_t new_pos = static_cast<uint64_t>(msg.pos) + aligned_length;
+ if (new_pos > static_cast<uint64_t>(msg.length))
+ {
+ new_pos = msg.length;
+ }
+ msg.pos = static_cast<uint32_t>(new_pos);
}
return false;
Source: eProsima Commit Fix
Detection Methods for CVE-2025-62602
Indicators of Compromise
- Unexpected Fast DDS process crashes or terminations when security mode is enabled
- SPDP discovery packets with abnormally large PID_IDENTITY_TOKEN or PID_PERMISSIONS_TOKEN parameter lengths
- Out-of-memory errors or allocation failures logged by Fast DDS applications
- Network traffic containing malformed DDS RTPS packets targeting discovery ports (typically UDP 7400-7500 range)
Detection Strategies
- Monitor DDS discovery traffic for SPDP packets with parameter length values approaching 32-bit integer boundaries
- Implement network intrusion detection rules to identify malformed RTPS protocol messages
- Configure process monitoring to alert on unexpected Fast DDS service terminations
- Deploy memory monitoring to detect sudden allocation spikes in DDS participant processes
Monitoring Recommendations
- Enable verbose logging in Fast DDS applications to capture CDRMessage parsing errors
- Monitor system logs for OOM killer events affecting DDS processes
- Implement health checks for DDS participant availability in distributed systems
- Track network traffic patterns on DDS discovery multicast groups for anomalous packet sizes
How to Mitigate CVE-2025-62602
Immediate Actions Required
- Upgrade to Fast DDS version 3.4.1, 3.3.1, or 2.6.11 depending on your version branch
- Implement network segmentation to restrict access to DDS discovery ports from untrusted networks
- Enable rate limiting on DDS discovery traffic to reduce attack surface
- Monitor Fast DDS processes for unexpected terminations while patching is coordinated
Patch Information
eProsima has released patches for all supported Fast DDS branches. The fix introduces proper bounds checking in the CDRMessage parsing logic by promoting 32-bit length calculations to 64-bit arithmetic to prevent integer overflow, and adding validation that new position values do not exceed message boundaries.
The patched versions include:
- Fast DDS 3.4.1 (latest stable branch)
- Fast DDS 3.3.1 (previous stable branch)
- Fast DDS 2.6.11 (LTS branch)
Patch commits are available at:
Workarounds
- Restrict network access to DDS discovery ports using firewall rules to allow only trusted participants
- Deploy Fast DDS applications in isolated network segments where SPDP traffic cannot be injected by untrusted sources
- Consider temporarily disabling security mode if the environment is already protected by network-level security controls (trade-off analysis required)
- Implement process supervision to automatically restart Fast DDS services if crashes occur
# Configuration example - Firewall rules to restrict DDS discovery traffic
# Restrict SPDP discovery ports to trusted network only
iptables -A INPUT -p udp --dport 7400:7500 -s 192.168.1.0/24 -j ACCEPT
iptables -A INPUT -p udp --dport 7400:7500 -j DROP
# Monitor for Fast DDS process crashes
journalctl -u fastdds.service --follow | grep -E "(crash|terminated|OOM)"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
