Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-63548

CVE-2025-63548: Eprosima Micro-XRCE-DDS Agent DoS Flaw

CVE-2025-63548 is a denial of service vulnerability in Eprosima Micro-XRCE-DDS Agent v.3.0.1 caused by malformed Boolean field values. This article covers the technical details, affected versions, and mitigation.

Published:

CVE-2025-63548 Overview

CVE-2025-63548 is a denial of service vulnerability in Eprosima Micro-XRCE-DDS Agent version 3.0.1. The agent fails to properly validate Boolean field values in incoming packets. A remote attacker can send a specially crafted packet containing a non-valid value in any Boolean field to crash the agent process. The flaw is network-exploitable, requires no authentication, and needs no user interaction. The Micro-XRCE-DDS Agent is widely used in robotics and IoT deployments to bridge resource-constrained devices to a DDS network, making service availability critical for downstream systems.

Critical Impact

Unauthenticated remote attackers can disrupt DDS communication for connected robotics and IoT clients by sending a single malformed packet.

Affected Products

  • Eprosima Micro-XRCE-DDS Agent v3.0.1
  • Deployments using the agent as a bridge between XRCE-DDS clients and DDS networks
  • ROS 2 and embedded robotics stacks that depend on Micro-XRCE-DDS Agent

Discovery Timeline

  • 2026-05-01 - CVE-2025-63548 published to NVD
  • 2026-05-05 - Last updated in NVD database

Technical Details for CVE-2025-63548

Vulnerability Analysis

The vulnerability is classified under [CWE-241] Improper Handling of Unexpected Data Type. The Micro-XRCE-DDS Agent parses incoming XRCE protocol messages that contain Boolean fields. The XRCE-DDS specification defines Boolean values as either 0x00 (false) or 0x01 (true). When the agent receives a packet where a Boolean field contains a value outside this set, the parser does not reject the input or fall back to a safe default. The unexpected byte propagates into downstream logic and triggers a fatal condition that terminates the agent.

Because the agent process serves multiple XRCE clients, a single malformed datagram halts communication for every dependent client. Attackers can repeat the packet to keep the service offline.

Root Cause

The root cause is missing input validation on Boolean-typed fields during message deserialization. The agent trusts the wire value rather than enforcing the protocol-defined domain of {0x00, 0x01}. This violates defensive parsing principles for binary protocols.

Attack Vector

Exploitation requires only network reachability to the agent's listening transport, typically UDP. The attacker constructs an XRCE-DDS message with a valid header and submessage layout, then sets one Boolean field to an out-of-domain byte such as 0x02. On receipt, the agent crashes. No credentials, session, or prior interaction are required. See the Eprosima GitHub Issue #389 for the original reporter's technical details.

No public proof-of-concept exploit code is available in verified sources, so the mechanism is described here in prose only.

Detection Methods for CVE-2025-63548

Indicators of Compromise

  • Unexpected termination or repeated restarts of the MicroXRCEAgent process without a corresponding administrative action
  • Loss of connectivity reported by XRCE-DDS clients followed by reconnection storms
  • Inbound UDP traffic to the agent's listening port from untrusted sources preceding agent crashes

Detection Strategies

  • Monitor agent process exit codes and core dumps to identify crash patterns consistent with malformed input parsing
  • Deploy network sensors that decode XRCE-DDS submessages and flag Boolean fields containing values other than 0x00 or 0x01
  • Correlate agent crash events with packet capture timestamps to confirm packet-induced denial of service

Monitoring Recommendations

  • Enable verbose agent logging during incident windows to capture the last received message before termination
  • Track UDP packet rates to the agent listener and alert on sources sending malformed XRCE traffic
  • Add availability checks for downstream ROS 2 or DDS clients that depend on the agent

How to Mitigate CVE-2025-63548

Immediate Actions Required

  • Restrict network exposure of the Micro-XRCE-DDS Agent to trusted client subnets using host firewalls or network ACLs
  • Audit deployments for the affected v3.0.1 build and inventory exposed listeners
  • Apply process supervision so that crashes trigger automatic restart while a permanent fix is pending

Patch Information

No fixed version was identified in the enriched advisory data at the time of publication. Track the upstream issue at Eprosima GitHub Issue #389 and the community CVE listing for fix availability, then upgrade as soon as a patched release is published.

Workarounds

  • Place the agent behind an XRCE-aware proxy or filter that rejects packets containing Boolean field values other than 0x00 or 0x01
  • Bind the agent to internal interfaces only and require VPN or mTLS-protected transport for remote clients
  • Use a process manager such as systemd with Restart=always and rate limiting to limit attacker-induced downtime
bash
# Example systemd hardening for the agent service
[Service]
ExecStart=/usr/local/bin/MicroXRCEAgent udp4 -p 8888
Restart=always
RestartSec=2
StartLimitIntervalSec=60
StartLimitBurst=10
IPAddressAllow=10.0.0.0/8
IPAddressDeny=any

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.