CVE-2025-64331 Overview
A stack overflow vulnerability exists in Suricata, the open-source network IDS, IPS, and NSM engine developed by the OISF (Open Information Security Foundation). Prior to versions 7.0.13 and 8.0.2, a stack overflow can occur during large HTTP file transfers when users have increased the HTTP response body limit beyond defaults and enabled the logging of printable HTTP bodies. This configuration-dependent vulnerability can lead to denial of service conditions affecting network security monitoring capabilities.
Critical Impact
This stack overflow vulnerability (CWE-121, CWE-787) can cause Suricata to crash during large HTTP file transfers, disrupting network intrusion detection and prevention capabilities for organizations relying on Suricata for security monitoring.
Affected Products
- OISF Suricata versions prior to 7.0.13
- OISF Suricata versions prior to 8.0.2
- Suricata deployments with non-default HTTP response body limits and http-body-printable logging enabled
Discovery Timeline
- 2025-11-26 - CVE-2025-64331 published to NVD
- 2025-12-08 - Last updated in NVD database
Technical Details for CVE-2025-64331
Vulnerability Analysis
This vulnerability is classified as a stack overflow (CWE-121) and out-of-bounds write (CWE-787) issue in Suricata's HTTP response body logging functionality. The flaw manifests when processing large HTTP file transfers under specific non-default configurations. The vulnerability requires two conditions to be exploitable: the user must have increased the HTTP response body limit beyond its default value, and the http-body-printable logging feature must be enabled.
When these conditions are met, processing of exceptionally large HTTP responses can cause the stack to overflow, leading to a crash of the Suricata process. This results in a denial of service condition where network traffic goes unmonitored until the service is restored.
Root Cause
The root cause lies in insufficient boundary checking when handling HTTP response body data for printable logging purposes. When users configure Suricata to accept larger-than-default HTTP response bodies while also enabling the http-body-printable logging feature, the combination creates a scenario where stack memory can be exhausted during the processing and logging of large file transfers. The default configuration mitigates this issue by keeping HTTP response body limits at safe levels and disabling body logging.
Attack Vector
The vulnerability is exploitable remotely over the network without requiring authentication or user interaction. An attacker can trigger the condition by initiating large HTTP file transfers through a network segment monitored by a vulnerable Suricata deployment. The attack specifically targets the HTTP response body processing pipeline.
The exploitation scenario involves:
- Identifying a network segment protected by Suricata with non-default HTTP body limits
- Initiating large HTTP file transfers that exceed normal stack allocation
- Triggering the stack overflow condition when Suricata attempts to log the printable HTTP body
- Causing the Suricata process to crash, resulting in loss of network visibility
For technical implementation details, refer to the GitHub Security Advisory.
Detection Methods for CVE-2025-64331
Indicators of Compromise
- Unexpected Suricata process crashes or restarts during periods of high HTTP traffic
- Unusually large HTTP file transfers preceding service interruptions
- Stack overflow or segmentation fault errors in Suricata logs
- Gaps in network monitoring data coinciding with large file transfers
Detection Strategies
- Monitor Suricata process stability and implement alerting for unexpected crashes or restarts
- Review Suricata configuration files for non-default http.response-body limit settings
- Check if http-body-printable logging is enabled in your EVE-JSON or logging configuration
- Implement process monitoring to detect and alert on Suricata service interruptions
Monitoring Recommendations
- Configure system-level monitoring for Suricata process health and automatic restart capabilities
- Implement log analysis for stack overflow or memory-related error messages in system logs
- Monitor network traffic patterns for unusually large HTTP transfers that could trigger the vulnerability
- Set up alerts for any Suricata service disruptions to minimize detection gaps
How to Mitigate CVE-2025-64331
Immediate Actions Required
- Upgrade Suricata to version 7.0.13 or 8.0.2 immediately
- Review and audit current Suricata configuration for non-default HTTP response body limits
- Disable http-body-printable logging if not strictly required until patching is complete
- Implement automatic service restart mechanisms to minimize downtime from potential crashes
Patch Information
The OISF has released patched versions that address this stack overflow vulnerability. Organizations should upgrade to Suricata version 7.0.13 (for the 7.x branch) or version 8.0.2 (for the 8.x branch) to fully remediate this issue. Patch details and release notes are available through the GitHub Security Advisory.
Workarounds
- Use default HTTP response body limits in Suricata configuration
- Disable http-body-printable logging (note: body logging is disabled by default)
- Implement network-level rate limiting for HTTP transfers to reduce exploitation risk
- Deploy redundant Suricata sensors to maintain visibility if one instance is affected
# Configuration example - Verify and adjust suricata.yaml settings
# Ensure http-body-printable logging is disabled (default)
# Check outputs section in suricata.yaml:
#
# - eve-log:
# enabled: yes
# types:
# - http:
# extended: yes
# # Ensure http-body-printable is not enabled or set to no
# # custom: [http-body-printable] # Comment out or remove this line
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
