CVE-2025-62603: Eprosima Fast DDS DoS Vulnerability

CVE-2025-62603 Overview

CVE-2025-62603 affects eProsima Fast DDS, a C++ implementation of the Object Management Group (OMG) Data Distribution Service (DDS) standard. The vulnerability resides in the Common Data Representation (CDR) parser path readParticipantGenericMessage → readDataHolderSeq, which deserializes security control-message containers without performing minimal header peeking first. A remote attacker can send a crafted ParticipantGenericMessage whose DataHolderSeq triggers an out-of-memory condition and remotely terminates the receiving process. The flaw is classified as an Out-of-Bounds Read [CWE-125] and impacts availability. Maintainers fixed the issue in versions 3.4.1, 3.3.1, and 2.6.11.

Critical Impact

Remote unauthenticated attackers on the RTPS network can crash Fast DDS participants by sending malformed security control messages, disrupting middleware-dependent systems such as robotics and industrial control workloads.

Affected Products

• eProsima Fast DDS versions prior to 3.4.1
• eProsima Fast DDS versions prior to 3.3.1
• eProsima Fast DDS versions prior to 2.6.11 (including 3.4.0)
• Debian Linux 11, 12, and 13

Discovery Timeline

• 2026-02-03 - CVE-2025-62603 published to NVD
• 2026-02-18 - Last updated in NVD database

Technical Details for CVE-2025-62603

Vulnerability Analysis

Fast DDS implements the DDS Security specification using ParticipantGenericMessage as the container for handshake and ongoing security-control traffic. This includes crypto-token exchange, rekeying, re-authentication, and token delivery for newly appearing endpoints. The CDR parser deserializes the embedded message_data field via readParticipantGenericMessage → readDataHolderSeq before any higher-layer state validation occurs.

The DataHolderSeq is parsed sequentially: a sequence count (uint32), followed by each DataHolder containing a class_id string (e.g., DDS:Auth:PKI-DH:1.0+Req), key/value string properties, and binary properties consisting of a name plus an octet-vector. Because the parser is stateless, it fully unfolds the structure before distinguishing legitimate from malformed traffic.

Root Cause

The Real-Time Publish-Subscribe (RTPS) protocol permits duplicates, delays, and retransmissions. A receiver must perform minimal structural parsing to check identity and sequence numbers before processing or discarding a message. The implementation does not peek only at a minimal header; instead, it parses the entire DataHolderSeq. An attacker-controlled sequence count or property length triggers allocations that exhaust memory, causing process termination.

Attack Vector

The attack vector is network-based and requires no authentication or user interaction. An adversary with reachability to the RTPS transport sends a crafted security control message whose declared sequence and property sizes drive the parser into allocating attacker-controlled buffers, producing an out-of-memory condition and abort.

// Patch excerpt: src/cpp/fastdds/core/policy/ParameterList.cpp
// Replaces unchecked position advancement with bounded 64-bit arithmetic
while (msg.pos < msg.length)
{
    valid = true;
    valid = valid && rtps::CDRMessage::readUInt16(&msg, &pid);
    valid = valid && rtps::CDRMessage::readUInt16(&msg, &plength);
    if (!valid || (pid == PID_SENTINEL))
    {
        break;
    }
    if (pid == search_pid)
    {
        valid = valid && rtps::CDRMessage::readData(&msg, guid.guidPrefix.value,
                        rtps::GuidPrefix_t::size);
        valid = valid && rtps::CDRMessage::readData(&msg, guid.entityId.value, rtps::EntityId_t::size);
        return valid;
    }
    uint64_t aligned_length = (static_cast<uint64_t>(plength) + 3u) & ~3u;
    uint64_t new_pos = static_cast<uint64_t>(msg.pos) + aligned_length;
    if (new_pos > static_cast<uint64_t>(msg.length))
    {
        new_pos = msg.length;
    }
    msg.pos = static_cast<uint32_t>(new_pos);
}
// Source: https://github.com/eProsima/Fast-DDS/commit/354218514d32beac963ff5c306f1cf159ee37c5f

Detection Methods for CVE-2025-62603

Indicators of Compromise

• Unexpected termination or SIGABRT of Fast DDS participant processes coinciding with inbound RTPS traffic.
• Spikes in resident memory usage by DDS participants immediately before a crash.
• Inbound RTPS messages containing oversized DataHolderSeq sequence counts or unusually long property name/value fields.

Detection Strategies

• Inspect RTPS traffic on UDP port 7400+ for ParticipantGenericMessage payloads with anomalously large declared sequence counts.
• Correlate process crashes of Fast DDS-linked binaries with peer discovery events from untrusted sources.
• Monitor host telemetry for memory-pressure kills (OOM killer) targeting DDS workloads.

Monitoring Recommendations

• Enable verbose Fast DDS logging to capture deserialization failures in readDataHolderSeq.
• Alert on repeated participant restarts within short time windows on a single host.
• Track network flows from unauthorized peers attempting RTPS discovery on production segments.

How to Mitigate CVE-2025-62603

Immediate Actions Required

• Upgrade Fast DDS to version 3.4.1, 3.3.1, or 2.6.11 depending on your branch.
• Inventory all deployed robotics, autonomous systems, and middleware components that statically or dynamically link Fast DDS.
• Apply the Debian security update once published for Debian 11, 12, and 13 systems.

Patch Information

The maintainers shipped fixes across three commits: 354218514d, a726e6a5da, and ced3b6f92d. The patches introduce a wrap_from_other_message helper that validates available data before constructing a sub-message and replace short-circuiting bitwise operators with logical-AND short-circuits to halt parsing on first error. See the Debian CVE-2025-62603 Tracker for distribution status.

Workarounds

• Restrict RTPS traffic to trusted network segments using firewall rules on UDP discovery and user-traffic ports.
• Enforce DDS Security authentication and access control so unknown participants cannot initiate the affected message exchange.
• Deploy network segmentation between operational technology zones and corporate networks to limit reachability.

# Example: restrict RTPS to a trusted subnet using iptables
iptables -A INPUT -p udp --dport 7400:7500 -s 10.10.0.0/24 -j ACCEPT
iptables -A INPUT -p udp --dport 7400:7500 -j DROP

# Verify installed Fast DDS version after upgrade
dpkg -l | grep fastdds
# Expected: 3.4.1, 3.3.1, or 2.6.11 (or later)