CVE-2025-64333 Overview
CVE-2025-64333 is a stack overflow vulnerability in Suricata, the open-source network intrusion detection, prevention, and monitoring engine maintained by the Open Information Security Foundation (OISF). The flaw exists in Suricata versions prior to 7.0.13 and 8.0.2. An attacker can send traffic containing a large HTTP Content-Type header that, when logged, causes a stack overflow and crashes the Suricata process. The issue affects availability of the monitoring engine and is tracked under [CWE-121] Stack-based Buffer Overflow and [CWE-787] Out-of-bounds Write.
Critical Impact
Remote, unauthenticated attackers can crash Suricata sensors by transmitting HTTP traffic with an oversized Content-Type header, degrading network visibility and intrusion prevention coverage.
Affected Products
- OISF Suricata versions prior to 7.0.13
- OISF Suricata 8.x versions prior to 8.0.2
- Deployments using HTTP logging with default stream.reassembly.depth settings
Discovery Timeline
- 2025-11-26 - CVE-2025-64333 published to the National Vulnerability Database
- 2025-12-05 - Last updated in NVD database
Technical Details for CVE-2025-64333
Vulnerability Analysis
The vulnerability resides in Suricata's HTTP logging code path. When Suricata processes an HTTP transaction and logs it, the engine handles the Content-Type header on the stack. A sufficiently large Content-Type value exceeds the available stack frame size, triggering a stack-based buffer overflow that terminates the Suricata process.
Because Suricata is widely deployed as an inline IPS or passive IDS sensor, a crash disrupts traffic inspection, alerting, and in some deployments, blocking. The result is loss of network detection coverage for the duration of the outage. The CVSS vector indicates the impact is limited to availability, with no confidentiality or integrity compromise.
Root Cause
The root cause is unbounded stack allocation tied to the size of an attacker-controlled HTTP header. The logging routine does not validate or cap the Content-Type length before placing it on the stack. When the input crosses the stack guard boundary, the process aborts. The bug is classified as both a stack overflow [CWE-121] and an out-of-bounds write [CWE-787].
Attack Vector
An attacker sends crafted HTTP traffic across a network segment that Suricata inspects. The HTTP request or response must carry an unusually large Content-Type header. No authentication, user interaction, or special privileges are required. The crash occurs when Suricata reassembles the stream and invokes the logging path. Refer to the OISF Suricata Security Advisory GHSA-537h-xxmx-v87m for upstream technical detail.
Detection Methods for CVE-2025-64333
Indicators of Compromise
- Unexpected termination or repeated restarts of the suricata process on sensor hosts
- Core dump files generated by Suricata in the configured crash directory
- Gaps in eve.json logs or HTTP transaction records correlated with sensor restarts
- HTTP traffic containing Content-Type header values exceeding several kilobytes
Detection Strategies
- Monitor Suricata process health and exit codes through systemd, supervisord, or equivalent process supervisors
- Alert on abnormally large HTTP Content-Type headers using upstream perimeter inspection or WAF telemetry
- Track ingestion gaps in SIEM pipelines that consume Suricata eve.json output
Monitoring Recommendations
- Forward Suricata stats and engine logs to a centralized logging platform and alert on engine-shutdown events
- Baseline normal HTTP header sizes per environment and flag outliers for review
- Validate sensor uptime continuously and treat unexpected restarts as a security event pending triage
How to Mitigate CVE-2025-64333
Immediate Actions Required
- Upgrade Suricata to version 7.0.13 or 8.0.2 on all sensor deployments
- Inventory all Suricata instances across IDS, IPS, and NSM tiers to confirm patched versions
- Verify HTTP logging configuration after upgrade and restart sensors in a controlled window
Patch Information
OISF released fixed builds in Suricata 7.0.13 and 8.0.2. Both versions remove the stack overflow condition in the HTTP logging path. Patch details and signed release artifacts are documented in the OISF Suricata Security Advisory GHSA-537h-xxmx-v87m.
Workarounds
- Set stream.reassembly.depth to a value less than half of the configured process stack size to reduce trigger probability
- Increase the Suricata process stack size using ulimit -s or systemd LimitSTACK= so larger headers are tolerated
- Disable HTTP transaction logging temporarily if patching cannot be performed immediately
# Configuration example - suricata.yaml excerpt
stream:
reassembly:
depth: 1mb # keep below half of process stack size
# systemd unit override to raise stack size
# /etc/systemd/system/suricata.service.d/override.conf
[Service]
LimitSTACK=16777216
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
