CVE-2025-64344 Overview
CVE-2025-64344 is a stack overflow vulnerability affecting Suricata, a widely-deployed network intrusion detection system (IDS), intrusion prevention system (IPS), and network security monitoring (NSM) engine developed by the Open Information Security Foundation (OISF). The vulnerability exists in the Lua scripting interface, where processing large buffers can trigger a stack overflow condition, potentially leading to denial of service.
Prior to versions 7.0.13 and 8.0.2, working with large buffers in Lua scripts can exhaust the available stack space. This vulnerability affects users who leverage Lua rules and output scripts, particularly when those scripts process large data buffers. An attacker could exploit this by crafting network traffic that causes a Lua rule to process an oversized buffer, triggering the stack overflow and crashing the Suricata process.
Critical Impact
Exploitation of this vulnerability can cause Suricata to crash, resulting in a complete loss of network monitoring and intrusion prevention capabilities, leaving the network unprotected against malicious traffic.
Affected Products
- OISF Suricata versions prior to 7.0.13
- OISF Suricata versions prior to 8.0.2
- Deployments utilizing Lua rules or Lua output scripts
Discovery Timeline
- 2025-11-26 - CVE-2025-64344 published to NVD
- 2025-12-03 - Last updated in NVD database
Technical Details for CVE-2025-64344
Vulnerability Analysis
This vulnerability is classified under CWE-121 (Stack-based Buffer Overflow) and CWE-787 (Out-of-bounds Write). The flaw manifests when Suricata's Lua scripting engine processes buffers that exceed the available stack space. In network security monitoring scenarios, Suricata may encounter large HTTP response bodies, reassembled TCP streams, or other network data that gets passed to Lua scripts for custom inspection or logging.
When a Lua script attempts to work with these large buffers, the stack memory allocated for the operation can be exceeded. This is particularly problematic because Suricata operates as a critical security component—a crash not only disrupts monitoring but also potentially allows malicious traffic to pass undetected during the service disruption.
The attack can be executed remotely over the network without requiring authentication or user interaction. An attacker with knowledge of the deployed Lua rules could craft traffic specifically designed to pass large buffers to vulnerable script handlers, causing the stack to overflow and the Suricata process to terminate.
Root Cause
The root cause lies in insufficient boundary checking when handling buffer data within Lua script execution contexts. The Lua HTTP accessor functions in src/util-lua-http.c did not properly validate buffer sizes before stack allocation operations. Additionally, the code contained null pointer dereference issues that were addressed in the security patch. When extremely large buffers from network traffic (such as HTTP response bodies or reassembled stream data) are passed to Lua scripts, the stack cannot accommodate the memory requirements, leading to overflow.
Attack Vector
The vulnerability can be exploited through network-based attacks by sending specially crafted traffic to a network monitored by Suricata. The attack sequence involves:
- An attacker identifies that a target network uses Suricata with Lua-based rules or output scripts
- The attacker crafts network traffic (such as HTTP responses with large bodies) that will trigger Lua script processing
- When Suricata processes this traffic and passes the large buffer to a Lua script, the stack overflows
- Suricata crashes, causing temporary loss of network security monitoring
The security patch addresses this issue by fixing null dereference handling in the TX HTTP accessor functions:
*/
#include "suricata-common.h"
#include "app-layer-htp.h"
#include "util-lua.h"
#include "util-lua-common.h"
Source: GitHub Commit e13fe6a
Detection Methods for CVE-2025-64344
Indicators of Compromise
- Unexpected Suricata process crashes or restarts, particularly during periods of high network traffic
- Core dumps or crash logs indicating stack overflow conditions in Lua-related functions
- Segmentation fault errors in Suricata logs referencing util-lua-http.c or Lua script execution
- Abnormally large HTTP responses or reassembled stream data in network traffic preceding crashes
Detection Strategies
- Monitor Suricata process stability and alert on unexpected terminations or frequent restarts
- Implement log analysis for stack overflow indicators, segmentation faults, or Lua execution errors
- Review network traffic logs for unusually large HTTP response bodies that coincide with Suricata crashes
- Deploy application-level monitoring to track memory usage patterns in Suricata processes
Monitoring Recommendations
- Configure system monitoring to track Suricata process health and automatically alert on crashes
- Enable verbose logging for Lua script execution to identify problematic buffer handling
- Monitor for traffic patterns that may indicate attempted exploitation, such as repeated large HTTP responses to monitored segments
- Set up automated restart mechanisms with alerting to maintain continuous protection while investigating incidents
How to Mitigate CVE-2025-64344
Immediate Actions Required
- Upgrade Suricata to version 7.0.13 or 8.0.2 immediately to patch the vulnerability
- Review all deployed Lua rules and output scripts to identify those that process potentially large buffers
- Implement buffer size limits as described in the workaround section if immediate patching is not possible
- Monitor Suricata logs closely for signs of exploitation attempts or crashes
Patch Information
OISF has released patched versions of Suricata that address this vulnerability. Users should upgrade to version 7.0.13 (for the 7.x branch) or version 8.0.2 (for the 8.x branch). The security fix is documented in the GitHub Security Advisory and the specific commit can be reviewed at the OISF Suricata repository.
Workarounds
- Disable Lua rules and output scripts entirely if they are not critical to your deployment
- Configure stream.depth.reassembly to limit the size of reassembled stream data passed to Lua scripts
- Set HTTP response body limits using response-body-limit configuration option to less than half the stack size
- Implement strict input validation in custom Lua scripts to reject oversized buffers before processing
# Configuration example for suricata.yaml
# Set stream reassembly depth limit
stream:
reassembly:
depth: 1mb
# Set HTTP response body limit
app-layer:
protocols:
http:
libhtp:
default-config:
response-body-limit: 1mb
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
