CVE-2025-29916: Suricata datasets: ruleset declared settings can lead to resource starvation

6.2 CVSS

Description

Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. Datasets declared in rules have an option to specify the `hashsize` to use. This size setting isn't properly limited, so the hash table allocation can be large. Untrusted rules can lead to large memory allocations, potentially leading to denial of service due to resource starvation. This vulnerability is fixed in 7.0.9.

Classification

CVE ID: CVE-2025-29916

CVSS Base Severity: MEDIUM

CVSS Base Score: 6.2

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Problem Types

CWE-770: Allocation of Resources Without Limits or Throttling

Affected Products

Vendor: OISF

Product: suricata

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.02% (probability of being exploited)

EPSS Percentile: 2.04% (scored less or equal to compared to others)

EPSS Date: 2025-04-20 (when was this score calculated)

Stakeholder-Specific Vulnerability Categorization (SSVC)

SSVC Exploitation: none

SSVC Technical Impact: partial

SSVC Automatable: false

References

https://nvd.nist.gov/vuln/detail/CVE-2025-29916
https://github.com/OISF/suricata/security/advisories/GHSA-27g3-pmvp-j9cv
https://github.com/OISF/suricata/commit/a7713db709b8a0be5fc5e5809ab58e9b14a16e85
https://redmine.openinfosecfoundation.org/issues/7615

Timeline

2025-04-10 21:40:16 UTC
CVE

Suricata datasets: ruleset declared settings can lead to resource starvation