CVE-2025-29917 – Suricata's decode_base64 keyword has insufficie... (How to Fix)

Q: What is the severity of CVE-2025-29917?

CVE-2025-29917 has a CVSS score of 6.2 (MEDIUM). Suricata's decode_base64 keyword has insufficient memory allocation limits, allowing attackers to trigger excessive memory consumption up to 4GB per thread via specially crafted signatures. This affects all Suricata deployments using vulnerable versions with signatures containing the decode_base64 keyword. The vulnerability can lead to denial of service through resource exhaustion.

📋 TL;DR

Suricata's decode_base64 keyword has insufficient memory allocation limits, allowing attackers to trigger excessive memory consumption up to 4GB per thread via specially crafted signatures. This affects all Suricata deployments using vulnerable versions with signatures containing the decode_base64 keyword. The vulnerability can lead to denial of service through resource exhaustion.

💻 Affected Systems

Products:

Suricata IDS/IPS

Versions: All versions before 7.0.9

Operating Systems: All operating systems running Suricata

Default Config Vulnerable: ✅ No

Notes: Only vulnerable when using signatures with the decode_base64 keyword and bytes setting. Default installations without custom signatures may not be affected.

📦 What is this software?

Suricata by Oisf

View all CVEs affecting Suricata →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system resource exhaustion leading to denial of service, potentially crashing Suricata and disrupting network security monitoring across all protected systems.

🟠

Likely Case

Degraded performance or temporary service disruption as memory allocation spikes impact Suricata's ability to process network traffic.

🟢

If Mitigated

Minimal impact with proper signature validation and memory limits in place, though some performance degradation may still occur during attack attempts.

🌐 Internet-Facing: HIGH - Suricata typically monitors internet-facing traffic, making it directly exposed to malicious packets triggering this vulnerability.

🏢 Internal Only: MEDIUM - Internal network traffic could also be weaponized if an attacker gains internal access, though less likely than internet-facing exposure.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires sending network traffic that triggers vulnerable signatures. No authentication needed as Suricata processes all monitored traffic.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 7.0.9

Vendor Advisory: https://github.com/OISF/suricata/security/advisories/GHSA-x8c9-8553-j9px

Restart Required: Yes

Instructions:

1. Download Suricata 7.0.9 from official sources. 2. Stop Suricata service. 3. Backup configuration and rules. 4. Install new version. 5. Restart Suricata service. 6. Verify functionality.

🔧 Temporary Workarounds

Disable decode_base64 signatures

all

Remove or disable any signatures using the decode_base64 keyword with bytes setting

suricata -T --dump-config | grep -i base64
Review and modify rules files to remove vulnerable signatures

Implement memory limits

linux

Configure system memory limits for Suricata process to contain impact

ulimit -v 1073741824
systemctl edit suricata (add MemoryMax=1G)

🧯 If You Can't Patch

Review and remove all signatures using decode_base64 keyword with bytes parameter
Implement network segmentation to limit Suricata's exposure to untrusted traffic

🔍 How to Verify

Check if Vulnerable:

Check Suricata version and review signatures for decode_base64 usage: suricata --build-info | grep Version && grep -r 'decode_base64' /etc/suricata/rules/

Check Version:

suricata --build-info | grep Version

Verify Fix Applied:

Confirm version is 7.0.9 or later: suricata --build-info | grep 'Version: 7\.0\.9'

📡 Detection & Monitoring

Log Indicators:

Suricata process crashes or restarts
High memory usage alerts
Performance degradation in network monitoring

Network Indicators:

Unusual base64-encoded payloads in network traffic
Traffic patterns designed to trigger specific signatures

SIEM Query:

source="suricata" AND ("out of memory" OR "segmentation fault" OR memory>90%)

📊 Metadata

CVE ID: CVE-2025-29917

CVSS v3 Score: 6.2 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-770

EPSS Score: 0.06% exploit probability (19.5th percentile)

Published: April 10, 2025

Last Updated: May 29, 2025

🔗 References

https://github.com/OISF/suricata/commit/32d0bd2bbb4d486623dec85a94952fde2515f2f0 Patch
https://github.com/OISF/suricata/security/advisories/GHSA-x8c9-8553-j9px Vendor Advisory
https://redmine.openinfosecfoundation.org/issues/7613 Permissions Required

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-29917, you might also want to check these: