Login Sign Up

CVE-2025-11012

5.3 MEDIUM
Buffer Overflow

📋 TL;DR

A stack-based buffer overflow vulnerability exists in BehaviorTree up to version 4.7.0, specifically in the ParseScript function of the Diagnostic Message Handler. This allows local attackers to execute arbitrary code by manipulating the error_msgs_buffer argument. Only systems running vulnerable versions of BehaviorTree are affected.

💻 Affected Systems

Products:
  • BehaviorTree.CPP
Versions: Up to and including 4.7.0
Operating Systems: All platforms running BehaviorTree
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects systems using the Diagnostic Message Handler component with vulnerable versions.

📦 What is this software?

Behaviortree by Behaviortree

View all CVEs affecting Behaviortree →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Local privilege escalation leading to full system compromise, data theft, or persistent backdoor installation.

🟠

Likely Case

Local user gains elevated privileges or crashes the application, potentially disrupting dependent services.

🟢

If Mitigated

Limited impact due to local-only exploitation requirement and proper access controls.

🌐 Internet-Facing: LOW - Exploitation requires local access, not remotely triggerable.
🏢 Internal Only: MEDIUM - Local users could exploit this for privilege escalation within the environment.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Proof-of-concept exploit is publicly available in the provided poc.zip file. Exploitation requires local access to the system.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Version after commit cb6c7514efa628adb8180b58b4c9ccdebbe096e3

Vendor Advisory: https://github.com/BehaviorTree/BehaviorTree.CPP/issues/1006

Restart Required: No

Instructions:

1. Update BehaviorTree.CPP to version after commit cb6c7514efa628adb8180b58b4c9ccdebbe096e3. 2. Rebuild any applications using BehaviorTree. 3. Test functionality after update.

🔧 Temporary Workarounds

Restrict local access

all

Limit local user access to systems running vulnerable BehaviorTree versions

Disable Diagnostic Message Handler

all

If not required, disable the affected component to prevent exploitation

🧯 If You Can't Patch

  • Implement strict access controls to limit local user privileges
  • Monitor for unusual process behavior or crashes related to BehaviorTree

🔍 How to Verify

Check if Vulnerable:

Check BehaviorTree version: if version <= 4.7.0, system is vulnerable

Check Version:

Check build configuration or package manager for BehaviorTree version

Verify Fix Applied:

Verify BehaviorTree version is > 4.7.0 or includes commit cb6c7514efa628adb8180b58b4c9ccdebbe096e3

📡 Detection & Monitoring

Log Indicators:

  • Application crashes in BehaviorTree components
  • Unusual process spawns from BehaviorTree executables

Network Indicators:

  • None - local-only vulnerability

SIEM Query:

Process creation events from BehaviorTree executables with unusual arguments or crash reports

📊 Metadata

CVE ID: CVE-2025-11012
CVSS v3 Score: 5.3 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
CWE: CWE-119
EPSS Score: 0.04% exploit probability (10.8th percentile)
Published: September 26, 2025
Last Updated: October 16, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-11012, you might also want to check these:

CVE-2024-23613 10.0

A critical buffer overflow vulnerability in Symantec Deployment Solution 7.9 allows remote, unauthen...

Same vulnerability type (CWE-119)
CVE-2024-23615 10.0

A critical buffer overflow vulnerability in Symantec Messaging Gateway allows remote unauthenticated...

Same vulnerability type (CWE-119)
CVE-2026-2776 10.0

This CVE describes a sandbox escape vulnerability in Firefox's Telemetry component due to incorrect ...

Same vulnerability type (CWE-119)