Refine your search
16 vulnerabilities found for suricata by oisf
CVE-2025-59150 (GCVE-0-2025-59150)
Vulnerability from nvd
Published
2025-10-01 20:23
Modified
2025-10-23 13:12
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-476 - NULL Pointer Dereference
Summary
Suricata is a network IDS, IPS and NSM engine developed by the OISF (Open Information Security Foundation) and the Suricata community. Version 8.0.0's usage of the tls.subjectaltname keyword can lead to a segmentation fault when the decoded subjectaltname contains a NULL byte. This issue is fixed in version 8.0.1. To workaround this issue, disable rules using the tls.subjectaltname keyword.
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-59150",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-02T15:39:20.519524Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-02T15:54:30.373Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-10-23T13:12:27.248Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://www.vicarius.io/vsociety/posts/cve-2025-59150-suricata-detection-script"
},
{
"url": "https://www.vicarius.io/vsociety/posts/cve-2025-59150-suricata-mitigation-script"
}
],
"title": "CVE Program Container",
"x_generator": {
"engine": "ADPogram 0.0.1"
}
}
],
"cna": {
"affected": [
{
"product": "suricata",
"vendor": "OISF",
"versions": [
{
"status": "affected",
"version": "\u003e= 8.0.0, \u003c 8.0.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Suricata is a network IDS, IPS and NSM engine developed by the OISF (Open Information Security Foundation) and the Suricata community. Version 8.0.0\u0027s usage of the tls.subjectaltname keyword can lead to a segmentation fault when the decoded subjectaltname contains a NULL byte. This issue is fixed in version 8.0.1. To workaround this issue, disable rules using the tls.subjectaltname keyword."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-476",
"description": "CWE-476: NULL Pointer Dereference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T20:24:28.157Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/OISF/suricata/security/advisories/GHSA-mhv7-qfmj-m3f3",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/OISF/suricata/security/advisories/GHSA-mhv7-qfmj-m3f3"
},
{
"name": "https://github.com/OISF/suricata/commit/d590fdfe42e995fd558315f0c24f9a352e21479d",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/OISF/suricata/commit/d590fdfe42e995fd558315f0c24f9a352e21479d"
},
{
"name": "https://forum.suricata.io/t/suricata-8-0-1-and-7-0-12-released/6018",
"tags": [
"x_refsource_MISC"
],
"url": "https://forum.suricata.io/t/suricata-8-0-1-and-7-0-12-released/6018"
},
{
"name": "https://redmine.openinfosecfoundation.org/issues/7881",
"tags": [
"x_refsource_MISC"
],
"url": "https://redmine.openinfosecfoundation.org/issues/7881"
}
],
"source": {
"advisory": "GHSA-mhv7-qfmj-m3f3",
"discovery": "UNKNOWN"
},
"title": "Suricata: Keyword tls.subjectaltname can lead to NULL-ptr deref"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-59150",
"datePublished": "2025-10-01T20:23:54.207Z",
"dateReserved": "2025-09-09T15:23:16.326Z",
"dateUpdated": "2025-10-23T13:12:27.248Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-29918 (GCVE-0-2025-29918)
Vulnerability from nvd
Published
2025-04-10 21:02
Modified
2025-11-03 19:46
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-835 - Loop with Unreachable Exit Condition ('Infinite Loop')
Summary
Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. A PCRE rule can be written that leads to an infinite loop when negated PCRE is used. Packet processing thread becomes stuck in infinite loop limiting visibility and availability in inline mode. This vulnerability is fixed in 7.0.9.
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-29918",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-11T15:56:04.780002Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-11T16:03:41.477Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-03T19:46:43.978Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00029.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "suricata",
"vendor": "OISF",
"versions": [
{
"status": "affected",
"version": "\u003c 7.0.9"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. A PCRE rule can be written that leads to an infinite loop when negated PCRE is used. Packet processing thread becomes stuck in infinite loop limiting visibility and availability in inline mode. This vulnerability is fixed in 7.0.9."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 6.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-835",
"description": "CWE-835: Loop with Unreachable Exit Condition (\u0027Infinite Loop\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-10T21:02:32.646Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/OISF/suricata/security/advisories/GHSA-924c-vvm5-9mqx",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/OISF/suricata/security/advisories/GHSA-924c-vvm5-9mqx"
},
{
"name": "https://github.com/OISF/suricata/commit/b14c67cbdf25fa6c7ffe0d04ddf3ebe67b12b50b",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/OISF/suricata/commit/b14c67cbdf25fa6c7ffe0d04ddf3ebe67b12b50b"
},
{
"name": "https://redmine.openinfosecfoundation.org/issues/7526",
"tags": [
"x_refsource_MISC"
],
"url": "https://redmine.openinfosecfoundation.org/issues/7526"
}
],
"source": {
"advisory": "GHSA-924c-vvm5-9mqx",
"discovery": "UNKNOWN"
},
"title": "Suricata pcre: negated pcr can cause infinite loop"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-29918",
"datePublished": "2025-04-10T21:02:32.646Z",
"dateReserved": "2025-03-12T13:42:22.135Z",
"dateUpdated": "2025-11-03T19:46:43.978Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-55626 (GCVE-0-2024-55626)
Vulnerability from nvd
Published
2025-01-06 17:47
Modified
2025-11-03 19:32
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-680 - Integer Overflow to Buffer Overflow
Summary
Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. Prior to 7.0.8, a large BPF filter file provided to Suricata at startup can lead to a buffer overflow at Suricata startup. The issue has been addressed in Suricata 7.0.8.
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-55626",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-06T19:15:39.252344Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-06T19:15:49.387Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-03T19:32:13.234Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00029.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "suricata",
"vendor": "OISF",
"versions": [
{
"status": "affected",
"version": "\u003c 7.0.8"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. Prior to 7.0.8, a large BPF filter file provided to Suricata at startup can lead to a buffer overflow at Suricata startup. The issue has been addressed in Suricata 7.0.8."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "LOW",
"baseScore": 3.3,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-680",
"description": "CWE-680: Integer Overflow to Buffer Overflow",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-06T17:47:07.213Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/OISF/suricata/security/advisories/GHSA-wmg4-jqx5-4h9v",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/OISF/suricata/security/advisories/GHSA-wmg4-jqx5-4h9v"
},
{
"name": "https://github.com/OISF/suricata/commit/dd71ef0af222a566e54dfc479dd1951dd17d7ceb",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/OISF/suricata/commit/dd71ef0af222a566e54dfc479dd1951dd17d7ceb"
},
{
"name": "https://redmine.openinfosecfoundation.org/issues/7366",
"tags": [
"x_refsource_MISC"
],
"url": "https://redmine.openinfosecfoundation.org/issues/7366"
}
],
"source": {
"advisory": "GHSA-wmg4-jqx5-4h9v",
"discovery": "UNKNOWN"
},
"title": "Suricata oversized bpf file can lead to buffer overflow"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-55626",
"datePublished": "2025-01-06T17:47:07.213Z",
"dateReserved": "2024-12-09T17:48:05.556Z",
"dateUpdated": "2025-11-03T19:32:13.234Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-45796 (GCVE-0-2024-45796)
Vulnerability from nvd
Published
2024-10-16 18:41
Modified
2025-11-03 19:30
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-193 - Off-by-one Error
Summary
Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. Prior to version 7.0.7, a logic error during fragment reassembly can lead to failed reassembly for valid traffic. An attacker could craft packets to trigger this behavior.This issue has been addressed in 7.0.7.
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:oisf:suricata:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "suricata",
"vendor": "oisf",
"versions": [
{
"lessThan": "7.0.7",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-45796",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-17T17:15:59.665953Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-17T17:16:06.095Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-03T19:30:58.408Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00029.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "suricata",
"vendor": "OISF",
"versions": [
{
"status": "affected",
"version": "\u003c 7.0.7"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. Prior to version 7.0.7, a logic error during fragment reassembly can lead to failed reassembly for valid traffic. An attacker could craft packets to trigger this behavior.This issue has been addressed in 7.0.7."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-193",
"description": "CWE-193: Off-by-one Error",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-10-16T18:41:43.559Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/OISF/suricata/security/advisories/GHSA-mf6r-3xp2-v7xg",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/OISF/suricata/security/advisories/GHSA-mf6r-3xp2-v7xg"
},
{
"name": "https://redmine.openinfosecfoundation.org/issues/7067",
"tags": [
"x_refsource_MISC"
],
"url": "https://redmine.openinfosecfoundation.org/issues/7067"
}
],
"source": {
"advisory": "GHSA-mf6r-3xp2-v7xg",
"discovery": "UNKNOWN"
},
"title": "Suricata defrag: off by one can lead to policy bypass"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-45796",
"datePublished": "2024-10-16T18:41:43.559Z",
"dateReserved": "2024-09-09T14:23:07.502Z",
"dateUpdated": "2025-11-03T19:30:58.408Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-37151 (GCVE-0-2024-37151)
Vulnerability from nvd
Published
2024-07-11 14:39
Modified
2025-11-03 19:30
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-754 - Improper Check for Unusual or Exceptional Conditions
Summary
Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine.
Mishandling of multiple fragmented packets using the same IP ID value can lead to packet reassembly failure, which can lead to policy bypass. Upgrade to 7.0.6 or 6.0.20. When using af-packet, enable `defrag` to reduce the scope of the problem.
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:oisf:suricata:6.0.0:-:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "suricata",
"vendor": "oisf",
"versions": [
{
"lessThan": "6.0.20",
"status": "affected",
"version": "6.0.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:oisf:suricata:7.0.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "suricata",
"vendor": "oisf",
"versions": [
{
"lessThan": "7.0.6",
"status": "affected",
"version": "7.0.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-37151",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-11T15:59:30.704290Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-12T15:51:20.755Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-03T19:30:13.398Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/OISF/suricata/security/advisories/GHSA-qrp7-g66m-px24",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/OISF/suricata/security/advisories/GHSA-qrp7-g66m-px24"
},
{
"name": "https://github.com/OISF/suricata/commit/9d5c4273cb7e5ca65f195f7361f0d848c85180e0",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/OISF/suricata/commit/9d5c4273cb7e5ca65f195f7361f0d848c85180e0"
},
{
"name": "https://github.com/OISF/suricata/commit/aab7f35c76721df19403a7c0c0025feae12f3b6b",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/OISF/suricata/commit/aab7f35c76721df19403a7c0c0025feae12f3b6b"
},
{
"name": "https://redmine.openinfosecfoundation.org/issues/7041",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://redmine.openinfosecfoundation.org/issues/7041"
},
{
"name": "https://redmine.openinfosecfoundation.org/issues/7042",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://redmine.openinfosecfoundation.org/issues/7042"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00029.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "suricata",
"vendor": "OISF",
"versions": [
{
"status": "affected",
"version": "\u003e= 6.0.0, \u003c 6.0.20"
},
{
"status": "affected",
"version": "\u003e= 7.0.0,\u003c 7.0.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. \nMishandling of multiple fragmented packets using the same IP ID value can lead to packet reassembly failure, which can lead to policy bypass. Upgrade to 7.0.6 or 6.0.20. When using af-packet, enable `defrag` to reduce the scope of the problem."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-754",
"description": "CWE-754: Improper Check for Unusual or Exceptional Conditions",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-11T14:39:32.766Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/OISF/suricata/security/advisories/GHSA-qrp7-g66m-px24",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/OISF/suricata/security/advisories/GHSA-qrp7-g66m-px24"
},
{
"name": "https://github.com/OISF/suricata/commit/9d5c4273cb7e5ca65f195f7361f0d848c85180e0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/OISF/suricata/commit/9d5c4273cb7e5ca65f195f7361f0d848c85180e0"
},
{
"name": "https://github.com/OISF/suricata/commit/aab7f35c76721df19403a7c0c0025feae12f3b6b",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/OISF/suricata/commit/aab7f35c76721df19403a7c0c0025feae12f3b6b"
},
{
"name": "https://redmine.openinfosecfoundation.org/issues/7041",
"tags": [
"x_refsource_MISC"
],
"url": "https://redmine.openinfosecfoundation.org/issues/7041"
},
{
"name": "https://redmine.openinfosecfoundation.org/issues/7042",
"tags": [
"x_refsource_MISC"
],
"url": "https://redmine.openinfosecfoundation.org/issues/7042"
}
],
"source": {
"advisory": "GHSA-qrp7-g66m-px24",
"discovery": "UNKNOWN"
},
"title": "Suricata defrag: IP ID reuse can lead to policy bypass"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-37151",
"datePublished": "2024-07-11T14:39:32.766Z",
"dateReserved": "2024-06-03T17:29:38.328Z",
"dateUpdated": "2025-11-03T19:30:13.398Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-32663 (GCVE-0-2024-32663)
Vulnerability from nvd
Published
2024-05-07 14:48
Modified
2025-11-03 19:29
Severity ?
VLAI Severity ?
EPSS score ?
CWE
Summary
Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. Prior to 7.0.5 and 6.0.19, a small amount of HTTP/2 traffic can lead to Suricata using a large amount of memory. The issue has been addressed in Suricata 7.0.5 and 6.0.19. Workarounds include disabling the HTTP/2 parser and reducing `app-layer.protocols.http2.max-table-size` value (default is 65536).
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-32663",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-05-07T17:39:47.421590Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:51:29.291Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-03T19:29:48.378Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/OISF/suricata/security/advisories/GHSA-9jxm-qw9v-266r",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/OISF/suricata/security/advisories/GHSA-9jxm-qw9v-266r"
},
{
"name": "https://github.com/OISF/suricata/commit/08d93f7c3762781b743f88f9fdc4389eb9c3eb64",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/OISF/suricata/commit/08d93f7c3762781b743f88f9fdc4389eb9c3eb64"
},
{
"name": "https://github.com/OISF/suricata/commit/c0af92295e833d1db29b184d63cd3b829451d7fd",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/OISF/suricata/commit/c0af92295e833d1db29b184d63cd3b829451d7fd"
},
{
"name": "https://github.com/OISF/suricata/commit/d24b37a103c04bb2667e449e080ba4c8e56bb019",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/OISF/suricata/commit/d24b37a103c04bb2667e449e080ba4c8e56bb019"
},
{
"name": "https://github.com/OISF/suricata/commit/e68ec4b227d19498f364a41eb25d3182f0383ca5",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/OISF/suricata/commit/e68ec4b227d19498f364a41eb25d3182f0383ca5"
},
{
"name": "https://redmine.openinfosecfoundation.org/issues/6892",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://redmine.openinfosecfoundation.org/issues/6892"
},
{
"name": "https://redmine.openinfosecfoundation.org/issues/6900",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://redmine.openinfosecfoundation.org/issues/6900"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00029.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "suricata",
"vendor": "OISF",
"versions": [
{
"status": "affected",
"version": "\u003e= 7.0.0, \u003c= 7.0.4"
},
{
"status": "affected",
"version": "\u003e= 6.0.0, \u003c= 6.0.18"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. Prior to 7.0.5 and 6.0.19, a small amount of HTTP/2 traffic can lead to Suricata using a large amount of memory. The issue has been addressed in Suricata 7.0.5 and 6.0.19. Workarounds include disabling the HTTP/2 parser and reducing `app-layer.protocols.http2.max-table-size` value (default is 65536)."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400: Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-770",
"description": "CWE-770: Allocation of Resources Without Limits or Throttling",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-05-07T14:48:20.366Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/OISF/suricata/security/advisories/GHSA-9jxm-qw9v-266r",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/OISF/suricata/security/advisories/GHSA-9jxm-qw9v-266r"
},
{
"name": "https://github.com/OISF/suricata/commit/08d93f7c3762781b743f88f9fdc4389eb9c3eb64",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/OISF/suricata/commit/08d93f7c3762781b743f88f9fdc4389eb9c3eb64"
},
{
"name": "https://github.com/OISF/suricata/commit/c0af92295e833d1db29b184d63cd3b829451d7fd",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/OISF/suricata/commit/c0af92295e833d1db29b184d63cd3b829451d7fd"
},
{
"name": "https://github.com/OISF/suricata/commit/d24b37a103c04bb2667e449e080ba4c8e56bb019",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/OISF/suricata/commit/d24b37a103c04bb2667e449e080ba4c8e56bb019"
},
{
"name": "https://github.com/OISF/suricata/commit/e68ec4b227d19498f364a41eb25d3182f0383ca5",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/OISF/suricata/commit/e68ec4b227d19498f364a41eb25d3182f0383ca5"
},
{
"name": "https://redmine.openinfosecfoundation.org/issues/6892",
"tags": [
"x_refsource_MISC"
],
"url": "https://redmine.openinfosecfoundation.org/issues/6892"
},
{
"name": "https://redmine.openinfosecfoundation.org/issues/6900",
"tags": [
"x_refsource_MISC"
],
"url": "https://redmine.openinfosecfoundation.org/issues/6900"
}
],
"source": {
"advisory": "GHSA-9jxm-qw9v-266r",
"discovery": "UNKNOWN"
},
"title": "Suricata \u0027s http2 parser contains an improper compressed header handling can lead to resource starvation"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-32663",
"datePublished": "2024-05-07T14:48:20.366Z",
"dateReserved": "2024-04-16T14:15:26.878Z",
"dateUpdated": "2025-11-03T19:29:48.378Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-35852 (GCVE-0-2023-35852)
Vulnerability from nvd
Published
2023-06-19 00:00
Modified
2025-11-03 19:28
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
In Suricata before 6.0.13 (when there is an adversary who controls an external source of rules), a dataset filename, that comes from a rule, may trigger absolute or relative directory traversal, and lead to write access to a local filesystem. This is addressed in 6.0.13 by requiring allow-absolute-filenames and allow-write (in the datasets rules configuration section) if an installation requires traversal/writing in this situation.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T19:28:15.621Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/OISF/suricata/compare/suricata-6.0.12...suricata-6.0.13"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/OISF/suricata/commit/aee1523b4591430ebed1ded0bb95508e6717a335"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/OISF/suricata/commit/735f5aa9ca3b28cfacc7a443f93a44387fbacf17"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.stamus-networks.com/stamus-labs"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00029.html"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-35852",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-11T17:05:14.989150Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-11T17:05:39.191Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In Suricata before 6.0.13 (when there is an adversary who controls an external source of rules), a dataset filename, that comes from a rule, may trigger absolute or relative directory traversal, and lead to write access to a local filesystem. This is addressed in 6.0.13 by requiring allow-absolute-filenames and allow-write (in the datasets rules configuration section) if an installation requires traversal/writing in this situation."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-06-19T00:00:00.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://github.com/OISF/suricata/compare/suricata-6.0.12...suricata-6.0.13"
},
{
"url": "https://github.com/OISF/suricata/commit/aee1523b4591430ebed1ded0bb95508e6717a335"
},
{
"url": "https://github.com/OISF/suricata/commit/735f5aa9ca3b28cfacc7a443f93a44387fbacf17"
},
{
"url": "https://www.stamus-networks.com/stamus-labs"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2023-35852",
"datePublished": "2023-06-19T00:00:00.000Z",
"dateReserved": "2023-06-19T00:00:00.000Z",
"dateUpdated": "2025-11-03T19:28:15.621Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2021-45098 (GCVE-0-2021-45098)
Vulnerability from nvd
Published
2021-12-16 04:07
Modified
2025-11-03 19:26
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
An issue was discovered in Suricata before 6.0.4. It is possible to bypass/evade any HTTP-based signature by faking an RST TCP packet with random TCP options of the md5header from the client side. After the three-way handshake, it's possible to inject an RST ACK with a random TCP md5header option. Then, the client can send an HTTP GET request with a forbidden URL. The server will ignore the RST ACK and send the response HTTP packet for the client's request. These packets will not trigger a Suricata reject action.
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T19:26:34.251Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/OISF/suricata/releases"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://redmine.openinfosecfoundation.org/issues/4710"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://forum.suricata.io/t/suricata-6-0-4-and-5-0-8-released/1942"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/OISF/suricata/commit/50e2b973eeec7172991bf8f544ab06fb782b97df"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00029.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Suricata before 6.0.4. It is possible to bypass/evade any HTTP-based signature by faking an RST TCP packet with random TCP options of the md5header from the client side. After the three-way handshake, it\u0027s possible to inject an RST ACK with a random TCP md5header option. Then, the client can send an HTTP GET request with a forbidden URL. The server will ignore the RST ACK and send the response HTTP packet for the client\u0027s request. These packets will not trigger a Suricata reject action."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-12-16T04:07:57.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/OISF/suricata/releases"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://redmine.openinfosecfoundation.org/issues/4710"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://forum.suricata.io/t/suricata-6-0-4-and-5-0-8-released/1942"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/OISF/suricata/commit/50e2b973eeec7172991bf8f544ab06fb782b97df"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2021-45098",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Suricata before 6.0.4. It is possible to bypass/evade any HTTP-based signature by faking an RST TCP packet with random TCP options of the md5header from the client side. After the three-way handshake, it\u0027s possible to inject an RST ACK with a random TCP md5header option. Then, the client can send an HTTP GET request with a forbidden URL. The server will ignore the RST ACK and send the response HTTP packet for the client\u0027s request. These packets will not trigger a Suricata reject action."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/OISF/suricata/releases",
"refsource": "MISC",
"url": "https://github.com/OISF/suricata/releases"
},
{
"name": "https://redmine.openinfosecfoundation.org/issues/4710",
"refsource": "MISC",
"url": "https://redmine.openinfosecfoundation.org/issues/4710"
},
{
"name": "https://forum.suricata.io/t/suricata-6-0-4-and-5-0-8-released/1942",
"refsource": "MISC",
"url": "https://forum.suricata.io/t/suricata-6-0-4-and-5-0-8-released/1942"
},
{
"name": "https://github.com/OISF/suricata/commit/50e2b973eeec7172991bf8f544ab06fb782b97df",
"refsource": "MISC",
"url": "https://github.com/OISF/suricata/commit/50e2b973eeec7172991bf8f544ab06fb782b97df"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2021-45098",
"datePublished": "2021-12-16T04:07:57.000Z",
"dateReserved": "2021-12-16T00:00:00.000Z",
"dateUpdated": "2025-11-03T19:26:34.251Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-59150 (GCVE-0-2025-59150)
Vulnerability from cvelistv5
Published
2025-10-01 20:23
Modified
2025-10-23 13:12
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-476 - NULL Pointer Dereference
Summary
Suricata is a network IDS, IPS and NSM engine developed by the OISF (Open Information Security Foundation) and the Suricata community. Version 8.0.0's usage of the tls.subjectaltname keyword can lead to a segmentation fault when the decoded subjectaltname contains a NULL byte. This issue is fixed in version 8.0.1. To workaround this issue, disable rules using the tls.subjectaltname keyword.
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-59150",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-02T15:39:20.519524Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-02T15:54:30.373Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-10-23T13:12:27.248Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://www.vicarius.io/vsociety/posts/cve-2025-59150-suricata-detection-script"
},
{
"url": "https://www.vicarius.io/vsociety/posts/cve-2025-59150-suricata-mitigation-script"
}
],
"title": "CVE Program Container",
"x_generator": {
"engine": "ADPogram 0.0.1"
}
}
],
"cna": {
"affected": [
{
"product": "suricata",
"vendor": "OISF",
"versions": [
{
"status": "affected",
"version": "\u003e= 8.0.0, \u003c 8.0.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Suricata is a network IDS, IPS and NSM engine developed by the OISF (Open Information Security Foundation) and the Suricata community. Version 8.0.0\u0027s usage of the tls.subjectaltname keyword can lead to a segmentation fault when the decoded subjectaltname contains a NULL byte. This issue is fixed in version 8.0.1. To workaround this issue, disable rules using the tls.subjectaltname keyword."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-476",
"description": "CWE-476: NULL Pointer Dereference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T20:24:28.157Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/OISF/suricata/security/advisories/GHSA-mhv7-qfmj-m3f3",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/OISF/suricata/security/advisories/GHSA-mhv7-qfmj-m3f3"
},
{
"name": "https://github.com/OISF/suricata/commit/d590fdfe42e995fd558315f0c24f9a352e21479d",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/OISF/suricata/commit/d590fdfe42e995fd558315f0c24f9a352e21479d"
},
{
"name": "https://forum.suricata.io/t/suricata-8-0-1-and-7-0-12-released/6018",
"tags": [
"x_refsource_MISC"
],
"url": "https://forum.suricata.io/t/suricata-8-0-1-and-7-0-12-released/6018"
},
{
"name": "https://redmine.openinfosecfoundation.org/issues/7881",
"tags": [
"x_refsource_MISC"
],
"url": "https://redmine.openinfosecfoundation.org/issues/7881"
}
],
"source": {
"advisory": "GHSA-mhv7-qfmj-m3f3",
"discovery": "UNKNOWN"
},
"title": "Suricata: Keyword tls.subjectaltname can lead to NULL-ptr deref"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-59150",
"datePublished": "2025-10-01T20:23:54.207Z",
"dateReserved": "2025-09-09T15:23:16.326Z",
"dateUpdated": "2025-10-23T13:12:27.248Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-29918 (GCVE-0-2025-29918)
Vulnerability from cvelistv5
Published
2025-04-10 21:02
Modified
2025-11-03 19:46
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-835 - Loop with Unreachable Exit Condition ('Infinite Loop')
Summary
Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. A PCRE rule can be written that leads to an infinite loop when negated PCRE is used. Packet processing thread becomes stuck in infinite loop limiting visibility and availability in inline mode. This vulnerability is fixed in 7.0.9.
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-29918",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-11T15:56:04.780002Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-11T16:03:41.477Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-03T19:46:43.978Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00029.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "suricata",
"vendor": "OISF",
"versions": [
{
"status": "affected",
"version": "\u003c 7.0.9"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. A PCRE rule can be written that leads to an infinite loop when negated PCRE is used. Packet processing thread becomes stuck in infinite loop limiting visibility and availability in inline mode. This vulnerability is fixed in 7.0.9."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 6.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-835",
"description": "CWE-835: Loop with Unreachable Exit Condition (\u0027Infinite Loop\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-10T21:02:32.646Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/OISF/suricata/security/advisories/GHSA-924c-vvm5-9mqx",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/OISF/suricata/security/advisories/GHSA-924c-vvm5-9mqx"
},
{
"name": "https://github.com/OISF/suricata/commit/b14c67cbdf25fa6c7ffe0d04ddf3ebe67b12b50b",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/OISF/suricata/commit/b14c67cbdf25fa6c7ffe0d04ddf3ebe67b12b50b"
},
{
"name": "https://redmine.openinfosecfoundation.org/issues/7526",
"tags": [
"x_refsource_MISC"
],
"url": "https://redmine.openinfosecfoundation.org/issues/7526"
}
],
"source": {
"advisory": "GHSA-924c-vvm5-9mqx",
"discovery": "UNKNOWN"
},
"title": "Suricata pcre: negated pcr can cause infinite loop"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-29918",
"datePublished": "2025-04-10T21:02:32.646Z",
"dateReserved": "2025-03-12T13:42:22.135Z",
"dateUpdated": "2025-11-03T19:46:43.978Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-55626 (GCVE-0-2024-55626)
Vulnerability from cvelistv5
Published
2025-01-06 17:47
Modified
2025-11-03 19:32
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-680 - Integer Overflow to Buffer Overflow
Summary
Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. Prior to 7.0.8, a large BPF filter file provided to Suricata at startup can lead to a buffer overflow at Suricata startup. The issue has been addressed in Suricata 7.0.8.
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-55626",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-06T19:15:39.252344Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-06T19:15:49.387Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-03T19:32:13.234Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00029.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "suricata",
"vendor": "OISF",
"versions": [
{
"status": "affected",
"version": "\u003c 7.0.8"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. Prior to 7.0.8, a large BPF filter file provided to Suricata at startup can lead to a buffer overflow at Suricata startup. The issue has been addressed in Suricata 7.0.8."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "LOW",
"baseScore": 3.3,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-680",
"description": "CWE-680: Integer Overflow to Buffer Overflow",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-06T17:47:07.213Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/OISF/suricata/security/advisories/GHSA-wmg4-jqx5-4h9v",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/OISF/suricata/security/advisories/GHSA-wmg4-jqx5-4h9v"
},
{
"name": "https://github.com/OISF/suricata/commit/dd71ef0af222a566e54dfc479dd1951dd17d7ceb",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/OISF/suricata/commit/dd71ef0af222a566e54dfc479dd1951dd17d7ceb"
},
{
"name": "https://redmine.openinfosecfoundation.org/issues/7366",
"tags": [
"x_refsource_MISC"
],
"url": "https://redmine.openinfosecfoundation.org/issues/7366"
}
],
"source": {
"advisory": "GHSA-wmg4-jqx5-4h9v",
"discovery": "UNKNOWN"
},
"title": "Suricata oversized bpf file can lead to buffer overflow"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-55626",
"datePublished": "2025-01-06T17:47:07.213Z",
"dateReserved": "2024-12-09T17:48:05.556Z",
"dateUpdated": "2025-11-03T19:32:13.234Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-45796 (GCVE-0-2024-45796)
Vulnerability from cvelistv5
Published
2024-10-16 18:41
Modified
2025-11-03 19:30
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-193 - Off-by-one Error
Summary
Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. Prior to version 7.0.7, a logic error during fragment reassembly can lead to failed reassembly for valid traffic. An attacker could craft packets to trigger this behavior.This issue has been addressed in 7.0.7.
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:oisf:suricata:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "suricata",
"vendor": "oisf",
"versions": [
{
"lessThan": "7.0.7",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-45796",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-17T17:15:59.665953Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-17T17:16:06.095Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-03T19:30:58.408Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00029.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "suricata",
"vendor": "OISF",
"versions": [
{
"status": "affected",
"version": "\u003c 7.0.7"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. Prior to version 7.0.7, a logic error during fragment reassembly can lead to failed reassembly for valid traffic. An attacker could craft packets to trigger this behavior.This issue has been addressed in 7.0.7."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-193",
"description": "CWE-193: Off-by-one Error",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-10-16T18:41:43.559Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/OISF/suricata/security/advisories/GHSA-mf6r-3xp2-v7xg",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/OISF/suricata/security/advisories/GHSA-mf6r-3xp2-v7xg"
},
{
"name": "https://redmine.openinfosecfoundation.org/issues/7067",
"tags": [
"x_refsource_MISC"
],
"url": "https://redmine.openinfosecfoundation.org/issues/7067"
}
],
"source": {
"advisory": "GHSA-mf6r-3xp2-v7xg",
"discovery": "UNKNOWN"
},
"title": "Suricata defrag: off by one can lead to policy bypass"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-45796",
"datePublished": "2024-10-16T18:41:43.559Z",
"dateReserved": "2024-09-09T14:23:07.502Z",
"dateUpdated": "2025-11-03T19:30:58.408Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-37151 (GCVE-0-2024-37151)
Vulnerability from cvelistv5
Published
2024-07-11 14:39
Modified
2025-11-03 19:30
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-754 - Improper Check for Unusual or Exceptional Conditions
Summary
Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine.
Mishandling of multiple fragmented packets using the same IP ID value can lead to packet reassembly failure, which can lead to policy bypass. Upgrade to 7.0.6 or 6.0.20. When using af-packet, enable `defrag` to reduce the scope of the problem.
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:oisf:suricata:6.0.0:-:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "suricata",
"vendor": "oisf",
"versions": [
{
"lessThan": "6.0.20",
"status": "affected",
"version": "6.0.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:oisf:suricata:7.0.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "suricata",
"vendor": "oisf",
"versions": [
{
"lessThan": "7.0.6",
"status": "affected",
"version": "7.0.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-37151",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-11T15:59:30.704290Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-12T15:51:20.755Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-03T19:30:13.398Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/OISF/suricata/security/advisories/GHSA-qrp7-g66m-px24",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/OISF/suricata/security/advisories/GHSA-qrp7-g66m-px24"
},
{
"name": "https://github.com/OISF/suricata/commit/9d5c4273cb7e5ca65f195f7361f0d848c85180e0",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/OISF/suricata/commit/9d5c4273cb7e5ca65f195f7361f0d848c85180e0"
},
{
"name": "https://github.com/OISF/suricata/commit/aab7f35c76721df19403a7c0c0025feae12f3b6b",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/OISF/suricata/commit/aab7f35c76721df19403a7c0c0025feae12f3b6b"
},
{
"name": "https://redmine.openinfosecfoundation.org/issues/7041",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://redmine.openinfosecfoundation.org/issues/7041"
},
{
"name": "https://redmine.openinfosecfoundation.org/issues/7042",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://redmine.openinfosecfoundation.org/issues/7042"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00029.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "suricata",
"vendor": "OISF",
"versions": [
{
"status": "affected",
"version": "\u003e= 6.0.0, \u003c 6.0.20"
},
{
"status": "affected",
"version": "\u003e= 7.0.0,\u003c 7.0.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. \nMishandling of multiple fragmented packets using the same IP ID value can lead to packet reassembly failure, which can lead to policy bypass. Upgrade to 7.0.6 or 6.0.20. When using af-packet, enable `defrag` to reduce the scope of the problem."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-754",
"description": "CWE-754: Improper Check for Unusual or Exceptional Conditions",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-11T14:39:32.766Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/OISF/suricata/security/advisories/GHSA-qrp7-g66m-px24",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/OISF/suricata/security/advisories/GHSA-qrp7-g66m-px24"
},
{
"name": "https://github.com/OISF/suricata/commit/9d5c4273cb7e5ca65f195f7361f0d848c85180e0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/OISF/suricata/commit/9d5c4273cb7e5ca65f195f7361f0d848c85180e0"
},
{
"name": "https://github.com/OISF/suricata/commit/aab7f35c76721df19403a7c0c0025feae12f3b6b",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/OISF/suricata/commit/aab7f35c76721df19403a7c0c0025feae12f3b6b"
},
{
"name": "https://redmine.openinfosecfoundation.org/issues/7041",
"tags": [
"x_refsource_MISC"
],
"url": "https://redmine.openinfosecfoundation.org/issues/7041"
},
{
"name": "https://redmine.openinfosecfoundation.org/issues/7042",
"tags": [
"x_refsource_MISC"
],
"url": "https://redmine.openinfosecfoundation.org/issues/7042"
}
],
"source": {
"advisory": "GHSA-qrp7-g66m-px24",
"discovery": "UNKNOWN"
},
"title": "Suricata defrag: IP ID reuse can lead to policy bypass"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-37151",
"datePublished": "2024-07-11T14:39:32.766Z",
"dateReserved": "2024-06-03T17:29:38.328Z",
"dateUpdated": "2025-11-03T19:30:13.398Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-32663 (GCVE-0-2024-32663)
Vulnerability from cvelistv5
Published
2024-05-07 14:48
Modified
2025-11-03 19:29
Severity ?
VLAI Severity ?
EPSS score ?
CWE
Summary
Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. Prior to 7.0.5 and 6.0.19, a small amount of HTTP/2 traffic can lead to Suricata using a large amount of memory. The issue has been addressed in Suricata 7.0.5 and 6.0.19. Workarounds include disabling the HTTP/2 parser and reducing `app-layer.protocols.http2.max-table-size` value (default is 65536).
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-32663",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-05-07T17:39:47.421590Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:51:29.291Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-03T19:29:48.378Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/OISF/suricata/security/advisories/GHSA-9jxm-qw9v-266r",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/OISF/suricata/security/advisories/GHSA-9jxm-qw9v-266r"
},
{
"name": "https://github.com/OISF/suricata/commit/08d93f7c3762781b743f88f9fdc4389eb9c3eb64",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/OISF/suricata/commit/08d93f7c3762781b743f88f9fdc4389eb9c3eb64"
},
{
"name": "https://github.com/OISF/suricata/commit/c0af92295e833d1db29b184d63cd3b829451d7fd",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/OISF/suricata/commit/c0af92295e833d1db29b184d63cd3b829451d7fd"
},
{
"name": "https://github.com/OISF/suricata/commit/d24b37a103c04bb2667e449e080ba4c8e56bb019",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/OISF/suricata/commit/d24b37a103c04bb2667e449e080ba4c8e56bb019"
},
{
"name": "https://github.com/OISF/suricata/commit/e68ec4b227d19498f364a41eb25d3182f0383ca5",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/OISF/suricata/commit/e68ec4b227d19498f364a41eb25d3182f0383ca5"
},
{
"name": "https://redmine.openinfosecfoundation.org/issues/6892",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://redmine.openinfosecfoundation.org/issues/6892"
},
{
"name": "https://redmine.openinfosecfoundation.org/issues/6900",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://redmine.openinfosecfoundation.org/issues/6900"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00029.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "suricata",
"vendor": "OISF",
"versions": [
{
"status": "affected",
"version": "\u003e= 7.0.0, \u003c= 7.0.4"
},
{
"status": "affected",
"version": "\u003e= 6.0.0, \u003c= 6.0.18"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. Prior to 7.0.5 and 6.0.19, a small amount of HTTP/2 traffic can lead to Suricata using a large amount of memory. The issue has been addressed in Suricata 7.0.5 and 6.0.19. Workarounds include disabling the HTTP/2 parser and reducing `app-layer.protocols.http2.max-table-size` value (default is 65536)."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400: Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-770",
"description": "CWE-770: Allocation of Resources Without Limits or Throttling",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-05-07T14:48:20.366Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/OISF/suricata/security/advisories/GHSA-9jxm-qw9v-266r",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/OISF/suricata/security/advisories/GHSA-9jxm-qw9v-266r"
},
{
"name": "https://github.com/OISF/suricata/commit/08d93f7c3762781b743f88f9fdc4389eb9c3eb64",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/OISF/suricata/commit/08d93f7c3762781b743f88f9fdc4389eb9c3eb64"
},
{
"name": "https://github.com/OISF/suricata/commit/c0af92295e833d1db29b184d63cd3b829451d7fd",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/OISF/suricata/commit/c0af92295e833d1db29b184d63cd3b829451d7fd"
},
{
"name": "https://github.com/OISF/suricata/commit/d24b37a103c04bb2667e449e080ba4c8e56bb019",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/OISF/suricata/commit/d24b37a103c04bb2667e449e080ba4c8e56bb019"
},
{
"name": "https://github.com/OISF/suricata/commit/e68ec4b227d19498f364a41eb25d3182f0383ca5",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/OISF/suricata/commit/e68ec4b227d19498f364a41eb25d3182f0383ca5"
},
{
"name": "https://redmine.openinfosecfoundation.org/issues/6892",
"tags": [
"x_refsource_MISC"
],
"url": "https://redmine.openinfosecfoundation.org/issues/6892"
},
{
"name": "https://redmine.openinfosecfoundation.org/issues/6900",
"tags": [
"x_refsource_MISC"
],
"url": "https://redmine.openinfosecfoundation.org/issues/6900"
}
],
"source": {
"advisory": "GHSA-9jxm-qw9v-266r",
"discovery": "UNKNOWN"
},
"title": "Suricata \u0027s http2 parser contains an improper compressed header handling can lead to resource starvation"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-32663",
"datePublished": "2024-05-07T14:48:20.366Z",
"dateReserved": "2024-04-16T14:15:26.878Z",
"dateUpdated": "2025-11-03T19:29:48.378Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-35852 (GCVE-0-2023-35852)
Vulnerability from cvelistv5
Published
2023-06-19 00:00
Modified
2025-11-03 19:28
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
In Suricata before 6.0.13 (when there is an adversary who controls an external source of rules), a dataset filename, that comes from a rule, may trigger absolute or relative directory traversal, and lead to write access to a local filesystem. This is addressed in 6.0.13 by requiring allow-absolute-filenames and allow-write (in the datasets rules configuration section) if an installation requires traversal/writing in this situation.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T19:28:15.621Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/OISF/suricata/compare/suricata-6.0.12...suricata-6.0.13"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/OISF/suricata/commit/aee1523b4591430ebed1ded0bb95508e6717a335"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/OISF/suricata/commit/735f5aa9ca3b28cfacc7a443f93a44387fbacf17"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.stamus-networks.com/stamus-labs"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00029.html"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-35852",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-11T17:05:14.989150Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-11T17:05:39.191Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In Suricata before 6.0.13 (when there is an adversary who controls an external source of rules), a dataset filename, that comes from a rule, may trigger absolute or relative directory traversal, and lead to write access to a local filesystem. This is addressed in 6.0.13 by requiring allow-absolute-filenames and allow-write (in the datasets rules configuration section) if an installation requires traversal/writing in this situation."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-06-19T00:00:00.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://github.com/OISF/suricata/compare/suricata-6.0.12...suricata-6.0.13"
},
{
"url": "https://github.com/OISF/suricata/commit/aee1523b4591430ebed1ded0bb95508e6717a335"
},
{
"url": "https://github.com/OISF/suricata/commit/735f5aa9ca3b28cfacc7a443f93a44387fbacf17"
},
{
"url": "https://www.stamus-networks.com/stamus-labs"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2023-35852",
"datePublished": "2023-06-19T00:00:00.000Z",
"dateReserved": "2023-06-19T00:00:00.000Z",
"dateUpdated": "2025-11-03T19:28:15.621Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2021-45098 (GCVE-0-2021-45098)
Vulnerability from cvelistv5
Published
2021-12-16 04:07
Modified
2025-11-03 19:26
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
An issue was discovered in Suricata before 6.0.4. It is possible to bypass/evade any HTTP-based signature by faking an RST TCP packet with random TCP options of the md5header from the client side. After the three-way handshake, it's possible to inject an RST ACK with a random TCP md5header option. Then, the client can send an HTTP GET request with a forbidden URL. The server will ignore the RST ACK and send the response HTTP packet for the client's request. These packets will not trigger a Suricata reject action.
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T19:26:34.251Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/OISF/suricata/releases"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://redmine.openinfosecfoundation.org/issues/4710"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://forum.suricata.io/t/suricata-6-0-4-and-5-0-8-released/1942"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/OISF/suricata/commit/50e2b973eeec7172991bf8f544ab06fb782b97df"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00029.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Suricata before 6.0.4. It is possible to bypass/evade any HTTP-based signature by faking an RST TCP packet with random TCP options of the md5header from the client side. After the three-way handshake, it\u0027s possible to inject an RST ACK with a random TCP md5header option. Then, the client can send an HTTP GET request with a forbidden URL. The server will ignore the RST ACK and send the response HTTP packet for the client\u0027s request. These packets will not trigger a Suricata reject action."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-12-16T04:07:57.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/OISF/suricata/releases"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://redmine.openinfosecfoundation.org/issues/4710"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://forum.suricata.io/t/suricata-6-0-4-and-5-0-8-released/1942"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/OISF/suricata/commit/50e2b973eeec7172991bf8f544ab06fb782b97df"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2021-45098",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Suricata before 6.0.4. It is possible to bypass/evade any HTTP-based signature by faking an RST TCP packet with random TCP options of the md5header from the client side. After the three-way handshake, it\u0027s possible to inject an RST ACK with a random TCP md5header option. Then, the client can send an HTTP GET request with a forbidden URL. The server will ignore the RST ACK and send the response HTTP packet for the client\u0027s request. These packets will not trigger a Suricata reject action."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/OISF/suricata/releases",
"refsource": "MISC",
"url": "https://github.com/OISF/suricata/releases"
},
{
"name": "https://redmine.openinfosecfoundation.org/issues/4710",
"refsource": "MISC",
"url": "https://redmine.openinfosecfoundation.org/issues/4710"
},
{
"name": "https://forum.suricata.io/t/suricata-6-0-4-and-5-0-8-released/1942",
"refsource": "MISC",
"url": "https://forum.suricata.io/t/suricata-6-0-4-and-5-0-8-released/1942"
},
{
"name": "https://github.com/OISF/suricata/commit/50e2b973eeec7172991bf8f544ab06fb782b97df",
"refsource": "MISC",
"url": "https://github.com/OISF/suricata/commit/50e2b973eeec7172991bf8f544ab06fb782b97df"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2021-45098",
"datePublished": "2021-12-16T04:07:57.000Z",
"dateReserved": "2021-12-16T00:00:00.000Z",
"dateUpdated": "2025-11-03T19:26:34.251Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}