CVE-2025-58447 – CVE-2025-58447 is a critical heap-based buffer ... (How to Fix)

Q: What is the severity of CVE-2025-58447?

CVE-2025-58447 has a CVSS score of 9.8 (CRITICAL). CVE-2025-58447 is a critical heap-based buffer overflow vulnerability in rAthena MMORPG server's login component. Remote attackers can send specially crafted authentication packets to trigger denial of service or potentially execute arbitrary code. All rAthena servers running versions before commit 2f5248b are affected.

📋 TL;DR

CVE-2025-58447 is a critical heap-based buffer overflow vulnerability in rAthena MMORPG server's login component. Remote attackers can send specially crafted authentication packets to trigger denial of service or potentially execute arbitrary code. All rAthena servers running versions before commit 2f5248b are affected.

💻 Affected Systems

Products:

rAthena MMORPG Server

Versions: All versions prior to commit 2f5248b9cd9a8c6b42422ddecfc4cc2cd0e69e4b

Operating Systems: All platforms (cross-platform software)

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects the login server component; game servers without login functionality may not be vulnerable.

📦 What is this software?

Rathena by Rathena

View all CVEs affecting Rathena →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete server compromise, data theft, and attacker persistence on the system.

🟠

Likely Case

Immediate denial of service (server crash) disrupting game services for all players.

🟢

If Mitigated

Limited to denial of service if exploit fails to achieve code execution, but still causes service disruption.

🌐 Internet-Facing: HIGH - Login servers are typically internet-facing and the exploit requires no authentication.

🏢 Internal Only: LOW - This primarily affects internet-facing game servers, not internal systems.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

The vulnerability is in a well-defined protocol handler with clear trigger conditions, making exploitation relatively straightforward for skilled attackers.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Commit 2f5248b9cd9a8c6b42422ddecfc4cc2cd0e69e4b or later

Vendor Advisory: https://github.com/rathena/rathena/security/advisories/GHSA-4p33-6xqr-cm6x

Restart Required: Yes

Instructions:

1. Pull latest rAthena code from GitHub. 2. Verify commit includes 2f5248b or later. 3. Recompile login server. 4. Restart login server service.

🔧 Temporary Workarounds

Network Filtering

all

Block or filter CA_SSO_LOGIN_REQ packets with oversized token lengths at network perimeter.

Service Isolation

all

Run login server in isolated container or VM with minimal privileges to limit potential RCE impact.

🧯 If You Can't Patch

Implement strict network segmentation to isolate login server from critical systems
Deploy application-layer firewall or WAF to filter malicious authentication packets

🔍 How to Verify

Check if Vulnerable:

Check git log for commit 2f5248b9cd9a8c6b42422ddecfc4cc2cd0e69e4b - if not present, system is vulnerable.

Check Version:

git log --oneline -1

Verify Fix Applied:

Verify commit hash includes 2f5248b or later in git history and login server has been restarted after update.

📡 Detection & Monitoring

Log Indicators:

Login server crash logs
Abnormal authentication attempts with large payloads
Memory corruption errors in system logs

Network Indicators:

CA_SSO_LOGIN_REQ packets with token length exceeding normal bounds (typically > 32 bytes)
Multiple failed login attempts from single source

SIEM Query:

source="login-server.log" AND ("segmentation fault" OR "buffer overflow" OR "heap corruption")

📊 Metadata

CVE ID: CVE-2025-58447

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-122

EPSS Score: 0.22% exploit probability (44.6th percentile)

Published: September 9, 2025

Last Updated: September 17, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-58447, you might also want to check these: