Login Sign Up

CVE-2025-35435

4.3 MEDIUM
Denial of Service

📋 TL;DR

CVE-2025-35435 is a division-by-zero vulnerability in CISA Thorium that allows authenticated remote attackers to crash the service by sending a stream split size of zero. This affects systems running vulnerable versions of Thorium before the fix. The vulnerability requires authentication but could cause denial of service.

💻 Affected Systems

Products:
  • CISA Thorium
Versions: All versions before commit 89101a6
Operating Systems: Any OS running Thorium
Default Config Vulnerable: ⚠️ Yes
Notes: Vulnerability exists in default configuration when stream split functionality is used.

📦 What is this software?

Thorium by Cisa

View all CVEs affecting Thorium →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Service crashes leading to denial of service, potentially disrupting critical monitoring or security functions if Thorium is part of security infrastructure.

🟠

Likely Case

Authenticated attacker causes service interruption, requiring restart of Thorium service to restore functionality.

🟢

If Mitigated

With proper authentication controls and network segmentation, impact is limited to denial of service within the authenticated user's scope.

🌐 Internet-Facing: MEDIUM - Requires authentication but internet-facing instances could be targeted by credential-based attacks.
🏢 Internal Only: MEDIUM - Internal authenticated users could exploit to cause service disruption.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Requires authenticated access to Thorium service and knowledge of how to trigger stream split functionality with zero value.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Commit 89101a6 or later

Vendor Advisory: https://github.com/cisagov/thorium/commit/7c94a0b9bc2dc55e0c307360452f348bac06820c

Restart Required: No

Instructions:

1. Update Thorium to commit 89101a6 or later. 2. Pull latest changes from repository. 3. Rebuild and redeploy Thorium service.

🔧 Temporary Workarounds

Input validation at proxy/load balancer

all

Block requests containing stream split size of zero at network boundary

Restrict authenticated access

all

Limit Thorium access to only necessary authenticated users

🧯 If You Can't Patch

  • Implement network segmentation to isolate Thorium from untrusted networks
  • Monitor for service crashes and implement automated restart procedures

🔍 How to Verify

Check if Vulnerable:

Check Thorium version/git commit hash - if before commit 89101a6, system is vulnerable.

Check Version:

git log --oneline -1

Verify Fix Applied:

Verify Thorium is running commit 89101a6 or later and test stream split functionality with various inputs.

📡 Detection & Monitoring

Log Indicators:

  • Thorium service crash logs
  • Division by zero errors in application logs
  • Unexpected service restarts

Network Indicators:

  • Unusual authenticated requests to Thorium stream endpoints
  • Requests with zero-value parameters

SIEM Query:

source="thorium" AND ("division by zero" OR "crash" OR "segfault")

📊 Metadata

CVE ID: CVE-2025-35435
CVSS v3 Score: 4.3 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
CWE: CWE-369
EPSS Score: 0.11% exploit probability (30.2th percentile)
Published: September 17, 2025
Last Updated: September 26, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-35435, you might also want to check these:

CVE-2021-32494 10.0

CVE-2021-32494 is a division by zero vulnerability in Radare2's Mach-O parser that allows attackers ...

Same vulnerability type (CWE-369)
CVE-2020-20892 8.8

A division by zero vulnerability in FFmpeg's lens correction filter allows attackers to cause denial...

Same vulnerability type (CWE-369)
CVE-2023-3896 7.8

This vulnerability is a divide-by-zero error in Vim text editor versions 9.0.1367-1 through 9.0.1367...

Same vulnerability type (CWE-369)