CVE-2025-25066 – CVE-2025-25066 is a stack-based buffer overflow... (How to Fix)

📋 TL;DR

CVE-2025-25066 is a stack-based buffer overflow vulnerability in nDPI's address cache restoration function. This could allow attackers to execute arbitrary code or cause denial of service on systems using vulnerable nDPI versions. Organizations using nDPI for network traffic analysis or DPI functionality are affected.

💻 Affected Systems

Products:

nDPI (ntop Deep Packet Inspection)

Versions: All versions through 4.12

Operating Systems: All platforms where nDPI is compiled and run

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability exists in the library itself; exploitation depends on how applications use nDPI's cache functionality.

📦 What is this software?

Ndpi by Ntop

View all CVEs affecting Ndpi →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data exfiltration, or persistent backdoor installation.

🟠

Likely Case

Denial of service causing nDPI process crashes and disruption of network monitoring/traffic analysis capabilities.

🟢

If Mitigated

Limited impact with proper memory protection mechanisms (ASLR, stack canaries) and privilege separation.

🌐 Internet-Facing: MEDIUM - Requires nDPI to process malicious network traffic from untrusted sources.

🏢 Internal Only: LOW - Typically used in controlled network monitoring environments.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires sending specially crafted network traffic that triggers the cache restoration function with malicious data.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Versions after commit 678697b5eb6c3caa5dd5f8cccfe9eed8d13b94bb

Vendor Advisory: https://github.com/ntop/nDPI/commit/678697b5eb6c3caa5dd5f8cccfe9eed8d13b94bb

Restart Required: No

Instructions:

1. Update nDPI to latest version or apply commit 678697b5eb6c3caa5dd5f8cccfe9eed8d13b94bb
2. Recompile any applications using nDPI
3. Redeploy updated applications

🔧 Temporary Workarounds

Disable address cache

all

Configure applications to not use nDPI's address cache functionality if possible

🧯 If You Can't Patch

Implement network segmentation to limit traffic reaching nDPI systems
Deploy memory protection controls (ASLR, stack canaries, DEP) on affected systems

🔍 How to Verify

Check if Vulnerable:

Check nDPI version: ndpi-config --version or examine source code for commit 678697b5eb6c3caa5dd5f8cccfe9eed8d13b94bb presence

Check Version:

ndpi-config --version

Verify Fix Applied:

Verify nDPI version is newer than 4.12 or contains the fix commit

📡 Detection & Monitoring

Log Indicators:

nDPI process crashes
segmentation fault errors in application logs

Network Indicators:

Unusual traffic patterns triggering cache operations
Repeated connection attempts to nDPI services

SIEM Query:

process_name:"ndpi" AND (event_type:crash OR error_message:"segmentation fault")

📊 Metadata

CVE ID: CVE-2025-25066

CVSS v3 Score: 8.1 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

CWE: CWE-121

EPSS Score: 0.03% exploit probability (8.6th percentile)

Published: February 3, 2025

Last Updated: October 2, 2025

🔗 References

https://github.com/ntop/nDPI/commit/678697b5eb6c3caa5dd5f8cccfe9eed8d13b94bb Patch

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-25066, you might also want to check these: