CVE-2025-63547 Overview
CVE-2025-63547 affects Eprosima Micro-XRCE-DDS Agent version 3.0.1, a broker that bridges resource-constrained devices to DDS networks. A remote attacker can trigger a denial of service by sending a crafted packet with a malformed Maximum Transmission Unit (MTU) length field. The flaw is classified under CWE-805: Buffer Access with Incorrect Length Value. Exploitation requires no authentication and no user interaction, and the attack is reachable over the network. Successful exploitation disrupts the agent process and severs communications between connected DDS clients and the broader middleware fabric.
Critical Impact
Unauthenticated remote attackers can crash the Micro-XRCE-DDS Agent and disrupt robotics, IoT, and DDS-based middleware deployments that rely on it.
Affected Products
- Eprosima Micro-XRCE-DDS Agent v3.0.1
- Deployments embedding the Micro-XRCE-DDS Agent for ROS 2 / DDS-XRCE bridging
- Devices and gateways exposing the agent endpoint to untrusted networks
Discovery Timeline
- 2026-05-01 - CVE-2025-63547 published to NVD
- 2026-05-05 - Last updated in NVD database
Technical Details for CVE-2025-63547
Vulnerability Analysis
The Micro-XRCE-DDS Agent implements the DDS-XRCE wire protocol to relay traffic between micro-controllers and DDS participants. The agent parses transport headers that include an MTU length field used to size buffers and validate subsequent payload reads. When an attacker supplies a crafted MTU value, the agent processes the packet using an incorrect length, leading to a buffer access with incorrect length value [CWE-805].
The outcome is a process-level fault that terminates the agent, breaking the DDS-XRCE bridge for every connected client. Because the agent often runs as a long-lived service in robotics, automotive, or industrial IoT stacks, repeated exploitation prevents reliable operation. The attacker does not need credentials, user interaction, or local access. The impact is restricted to availability; confidentiality and integrity are not affected.
Root Cause
The defect stems from missing or insufficient validation of the MTU length field before it is used to read or copy packet data. The agent trusts a client-controlled length, allowing the parser to operate on a buffer region that does not match the declared size. Refer to Eprosima Micro-XRCE-DDS Agent Issue #390 for the maintainer-tracked discussion.
Attack Vector
An attacker sends a single crafted DDS-XRCE packet to the agent's listening transport (UDP, TCP, or serial bridge) with a malformed MTU length field. The agent processes the malformed header, mishandles buffer boundaries, and crashes. The attack is repeatable, so attackers can sustain a denial-of-service condition by replaying the packet whenever the service restarts. See the public CVE tracking entry for additional context.
Detection Methods for CVE-2025-63547
Indicators of Compromise
- Unexpected termination or repeated restarts of the MicroXRCEAgent process on gateway and bridge hosts.
- Inbound DDS-XRCE packets with anomalous or oversized MTU header fields from untrusted sources.
- Loss of DDS topic activity from XRCE clients while the underlying network remains reachable.
Detection Strategies
- Monitor process lifecycle telemetry for the agent binary and alert on abnormal exit codes or crash loops.
- Inspect transport-layer captures for malformed DDS-XRCE headers, focusing on length fields exceeding negotiated MTU.
- Correlate agent crashes with inbound packet bursts from a single source address to surface targeted exploitation attempts.
Monitoring Recommendations
- Enable verbose agent logging and forward logs to a centralized analytics platform for anomaly review.
- Track availability of DDS-XRCE endpoints with synthetic clients that flag connectivity loss.
- Watch for repeated TCP/UDP session resets on the agent's listening port, which often precede service crashes.
How to Mitigate CVE-2025-63547
Immediate Actions Required
- Restrict network access to the Micro-XRCE-DDS Agent so only trusted XRCE clients can reach it.
- Place the agent behind a firewall or VPN segment and block exposure to the public internet.
- Deploy a process supervisor that limits restart frequency to prevent crash-loop amplification.
Patch Information
No fixed version was identified in the enriched CVE data at publication time. Track the upstream tracker at Eprosima Micro-XRCE-DDS Agent Issue #390 and apply the maintainer's patch as soon as it is released. Until then, treat any v3.0.1 deployment as vulnerable.
Workarounds
- Enforce strict allow-lists at the network layer to drop traffic from untrusted clients before it reaches the agent.
- Terminate DDS-XRCE traffic through a hardened proxy or transport that validates MTU and frame length fields.
- Run the agent under least privilege with automated restart policies and rate limiting on the listening socket.
# Configuration example: restrict the agent to a trusted subnet using iptables
iptables -A INPUT -p udp --dport 8888 -s 10.10.0.0/24 -j ACCEPT
iptables -A INPUT -p udp --dport 8888 -j DROP
iptables -A INPUT -p tcp --dport 8888 -s 10.10.0.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 8888 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

