CVE-2025-63548 Overview
CVE-2025-63548 is a denial of service vulnerability in Eprosima Micro-XRCE-DDS Agent version 3.0.1. The agent fails to properly validate Boolean field values in incoming packets. A remote attacker can send a specially crafted packet containing a non-valid value in any Boolean field to crash the agent process. The flaw is network-exploitable, requires no authentication, and needs no user interaction. The Micro-XRCE-DDS Agent is widely used in robotics and IoT deployments to bridge resource-constrained devices to a DDS network, making service availability critical for downstream systems.
Critical Impact
Unauthenticated remote attackers can disrupt DDS communication for connected robotics and IoT clients by sending a single malformed packet.
Affected Products
- Eprosima Micro-XRCE-DDS Agent v3.0.1
- Deployments using the agent as a bridge between XRCE-DDS clients and DDS networks
- ROS 2 and embedded robotics stacks that depend on Micro-XRCE-DDS Agent
Discovery Timeline
- 2026-05-01 - CVE-2025-63548 published to NVD
- 2026-05-05 - Last updated in NVD database
Technical Details for CVE-2025-63548
Vulnerability Analysis
The vulnerability is classified under [CWE-241] Improper Handling of Unexpected Data Type. The Micro-XRCE-DDS Agent parses incoming XRCE protocol messages that contain Boolean fields. The XRCE-DDS specification defines Boolean values as either 0x00 (false) or 0x01 (true). When the agent receives a packet where a Boolean field contains a value outside this set, the parser does not reject the input or fall back to a safe default. The unexpected byte propagates into downstream logic and triggers a fatal condition that terminates the agent.
Because the agent process serves multiple XRCE clients, a single malformed datagram halts communication for every dependent client. Attackers can repeat the packet to keep the service offline.
Root Cause
The root cause is missing input validation on Boolean-typed fields during message deserialization. The agent trusts the wire value rather than enforcing the protocol-defined domain of {0x00, 0x01}. This violates defensive parsing principles for binary protocols.
Attack Vector
Exploitation requires only network reachability to the agent's listening transport, typically UDP. The attacker constructs an XRCE-DDS message with a valid header and submessage layout, then sets one Boolean field to an out-of-domain byte such as 0x02. On receipt, the agent crashes. No credentials, session, or prior interaction are required. See the Eprosima GitHub Issue #389 for the original reporter's technical details.
No public proof-of-concept exploit code is available in verified sources, so the mechanism is described here in prose only.
Detection Methods for CVE-2025-63548
Indicators of Compromise
- Unexpected termination or repeated restarts of the MicroXRCEAgent process without a corresponding administrative action
- Loss of connectivity reported by XRCE-DDS clients followed by reconnection storms
- Inbound UDP traffic to the agent's listening port from untrusted sources preceding agent crashes
Detection Strategies
- Monitor agent process exit codes and core dumps to identify crash patterns consistent with malformed input parsing
- Deploy network sensors that decode XRCE-DDS submessages and flag Boolean fields containing values other than 0x00 or 0x01
- Correlate agent crash events with packet capture timestamps to confirm packet-induced denial of service
Monitoring Recommendations
- Enable verbose agent logging during incident windows to capture the last received message before termination
- Track UDP packet rates to the agent listener and alert on sources sending malformed XRCE traffic
- Add availability checks for downstream ROS 2 or DDS clients that depend on the agent
How to Mitigate CVE-2025-63548
Immediate Actions Required
- Restrict network exposure of the Micro-XRCE-DDS Agent to trusted client subnets using host firewalls or network ACLs
- Audit deployments for the affected v3.0.1 build and inventory exposed listeners
- Apply process supervision so that crashes trigger automatic restart while a permanent fix is pending
Patch Information
No fixed version was identified in the enriched advisory data at the time of publication. Track the upstream issue at Eprosima GitHub Issue #389 and the community CVE listing for fix availability, then upgrade as soon as a patched release is published.
Workarounds
- Place the agent behind an XRCE-aware proxy or filter that rejects packets containing Boolean field values other than 0x00 or 0x01
- Bind the agent to internal interfaces only and require VPN or mTLS-protected transport for remote clients
- Use a process manager such as systemd with Restart=always and rate limiting to limit attacker-induced downtime
# Example systemd hardening for the agent service
[Service]
ExecStart=/usr/local/bin/MicroXRCEAgent udp4 -p 8888
Restart=always
RestartSec=2
StartLimitIntervalSec=60
StartLimitBurst=10
IPAddressAllow=10.0.0.0/8
IPAddressDeny=any
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

