CVE-2025-61104 – This vulnerability in FRRouting (FRR) allows at... (How to Fix)

Q: What is the severity of CVE-2025-61104?

CVE-2025-61104 has a CVSS score of 7.5 (HIGH). This vulnerability in FRRouting (FRR) allows attackers to cause a denial of service by sending a specially crafted OSPF packet that triggers a NULL pointer dereference. The crash occurs in the show_vty_unknown_tlv function when processing OSPF packets with unknown TLVs. Organizations running FRR versions 4.0 through 10.4.1 with OSPF enabled are affected.

📋 TL;DR

This vulnerability in FRRouting (FRR) allows attackers to cause a denial of service by sending a specially crafted OSPF packet that triggers a NULL pointer dereference. The crash occurs in the show_vty_unknown_tlv function when processing OSPF packets with unknown TLVs. Organizations running FRR versions 4.0 through 10.4.1 with OSPF enabled are affected.

💻 Affected Systems

Products:

FRRouting (FRR)

Versions: v4.0 through v10.4.1

Operating Systems: Linux-based systems running FRR

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects systems with OSPF enabled. Systems without OSPF configured are not vulnerable.

📦 What is this software?

Frrouting by Frrouting

View all CVEs affecting Frrouting →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete service disruption of FRR routing daemon, causing network outages and loss of routing functionality for affected devices.

🟠

Likely Case

FRR daemon crashes, requiring manual restart to restore routing services, causing temporary network disruption.

🟢

If Mitigated

Minimal impact with proper network segmentation and monitoring allowing quick detection and recovery.

🌐 Internet-Facing: MEDIUM - OSPF is typically used internally, but internet-facing routers with OSPF misconfigurations could be exposed.

🏢 Internal Only: HIGH - OSPF is commonly used in internal networks, making internal attackers or compromised devices a significant threat.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW - Requires sending a crafted OSPF packet to vulnerable systems.

Exploitation requires network access to OSPF-enabled interfaces. The vulnerability is triggered by packets with unknown TLVs.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: v10.4.2 and later

Vendor Advisory: https://github.com/FRRouting/frr/issues/19471

Restart Required: Yes

Instructions:

1. Update FRR to version 10.4.2 or later using your distribution's package manager. 2. For source installations, pull the latest code from GitHub and rebuild. 3. Restart the FRR service after updating.

🔧 Temporary Workarounds

Disable OSPF

linux

Temporarily disable OSPF routing protocol if not required.

vtysh -c 'configure terminal' -c 'no router ospf'

OSPF Interface Filtering

linux

Use ACLs to restrict OSPF packets to trusted sources only.

vtysh -c 'configure terminal' -c 'access-list 1 permit 10.0.0.0/8' -c 'router ospf' -c 'distribute-list 1 in'

🧯 If You Can't Patch

Implement network segmentation to isolate OSPF traffic to trusted zones only.
Deploy network monitoring and intrusion detection systems to detect and alert on suspicious OSPF packets.

🔍 How to Verify

Check if Vulnerable:

Check FRR version with 'frr --version' or 'vtysh -c 'show version''. If version is between 4.0 and 10.4.1 inclusive, and OSPF is enabled, the system is vulnerable.

Check Version:

frr --version

Verify Fix Applied:

After patching, verify version is 10.4.2 or later and test OSPF functionality remains operational.

📡 Detection & Monitoring

Log Indicators:

FRR daemon crash logs in system logs
OSPF process restart messages
Segmentation fault errors in FRR logs

Network Indicators:

Unusual OSPF packets with unknown TLVs
OSPF neighbor flapping
Sudden loss of OSPF routes

SIEM Query:

source="frr.log" AND ("segmentation fault" OR "crash" OR "NULL pointer")

📊 Metadata

CVE ID: CVE-2025-61104

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-476

EPSS Score: 0.08% exploit probability (23.8th percentile)

Published: October 28, 2025

Last Updated: October 31, 2025

🔗 References

https://github.com/FRRouting/frr/issues/19471 Exploit,Issue Tracking,Third Party Advisory
https://github.com/FRRouting/frr/pull/19480 Issue Tracking,Third Party Advisory
https://github.com/FRRouting/frr/pull/19480/commits/fdd957408605d4a1766225630aafc7e6b7c3daf3 Patch
https://github.com/s1awwhy/BugList/blob/main/CVE-2025-61104.md Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-61104, you might also want to check these: