CVE-2025-63829 – CVE-2025-63829 is an integer overflow vulnerabi... (How to Fix)

Q: What is the severity of CVE-2025-63829?

CVE-2025-63829 has a CVSS score of 7.5 (HIGH). CVE-2025-63829 is an integer overflow vulnerability in eProsima Fast-DDS that causes an infinite loop in the Time_t::fraction() function. This allows attackers to cause denial of service by crashing or hanging applications using vulnerable Fast-DDS versions. Organizations using Fast-DDS v3.3 or earlier for real-time data distribution are affected.

📋 TL;DR

CVE-2025-63829 is an integer overflow vulnerability in eProsima Fast-DDS that causes an infinite loop in the Time_t::fraction() function. This allows attackers to cause denial of service by crashing or hanging applications using vulnerable Fast-DDS versions. Organizations using Fast-DDS v3.3 or earlier for real-time data distribution are affected.

💻 Affected Systems

Products:

eProsima Fast-DDS

Versions: v3.3 and all earlier versions

Operating Systems: All platforms where Fast-DDS runs (Linux, Windows, macOS, etc.)

Default Config Vulnerable: ⚠️ Yes

Notes: Any application using Fast-DDS for data distribution is vulnerable when processing time-related data structures.

📦 What is this software?

Fast Dds by Eprosima

View all CVEs affecting Fast Dds →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete denial of service for all applications using Fast-DDS, potentially affecting critical real-time systems like robotics, autonomous vehicles, or industrial control systems.

🟠

Likely Case

Application crashes or hangs when processing maliciously crafted time data, disrupting data distribution services.

🟢

If Mitigated

Limited impact if applications have proper input validation and monitoring to detect and restart hung processes.

🌐 Internet-Facing: MEDIUM - Exploitation requires sending malicious time data to vulnerable endpoints, which may be exposed in some deployments.

🏢 Internal Only: MEDIUM - Internal attackers or compromised systems could exploit this to disrupt critical data distribution services.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Proof of concept available in GitHub gist. Exploitation requires sending malicious time data to vulnerable endpoints, which may be accessible without authentication in some configurations.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: v3.4 or later

Vendor Advisory: https://github.com/eProsima/Fast-DDS/security/advisories

Restart Required: Yes

Instructions:

1. Check current Fast-DDS version. 2. Update to v3.4 or later via package manager or source compilation. 3. Rebuild and restart all applications using Fast-DDS.

🔧 Temporary Workarounds

Input Validation Wrapper

all

Implement input validation for time data before passing to Fast-DDS functions

// Code-level workaround: Validate time fraction values before calling Time_t functions
// Ensure fraction values are within safe integer bounds

🧯 If You Can't Patch

Implement network segmentation to isolate Fast-DDS services from untrusted networks
Deploy monitoring to detect and restart hung Fast-DDS processes automatically

🔍 How to Verify

Check if Vulnerable:

Check Fast-DDS version: dpkg -l | grep fastdds or rpm -qa | grep fastdds. If version is 3.3 or earlier, system is vulnerable.

Check Version:

fastdds --version 2>/dev/null || dpkg -l | grep fastdds || rpm -qa | grep fastdds || find /usr -name '*fastdds*' -type f | head -5

Verify Fix Applied:

Verify Fast-DDS version is 3.4 or later and test with known malicious time inputs to confirm no infinite loop occurs.

📡 Detection & Monitoring

Log Indicators:

Process hanging/crashing logs
High CPU usage without progress
Timeout errors in Fast-DDS applications

Network Indicators:

Unusual time data patterns in DDS traffic
Repeated connection attempts with malformed packets

SIEM Query:

process_name:"fastdds" AND (event_type:crash OR cpu_usage:>90% FOR 5m)

📊 Metadata

CVE ID: CVE-2025-63829

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-190

EPSS Score: 0.06% exploit probability (17.7th percentile)

Published: November 18, 2025

Last Updated: December 31, 2025

🔗 References

https://gist.github.com/lkloliver/b00377bec754d4aa1dc731be210d5889 Exploit,Third Party Advisory,Mitigation
https://github.com/eProsima/Fast-DDS/blob/master/src/cpp/fastdds/core/Time_t.cpp#L67 Product

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-63829, you might also want to check these: