CVE-2025-64334
📋 TL;DR
This vulnerability in Suricata allows an attacker to cause unbounded memory growth by sending specially crafted compressed HTTP data, potentially leading to denial of service (DoS) due to resource exhaustion. It affects Suricata versions 8.0.0 to 8.0.1, impacting users running these versions for network intrusion detection, prevention, or monitoring.
💻 Affected Systems
- Suricata
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete system crash or unavailability of Suricata due to memory exhaustion, disrupting network security monitoring and potentially allowing undetected attacks.
Likely Case
Degraded performance or temporary DoS of Suricata, reducing its effectiveness in detecting threats until memory is freed or the service is restarted.
If Mitigated
Minimal impact with proper patching or workarounds, maintaining normal Suricata functionality and security coverage.
🎯 Exploit Status
Exploitation requires sending compressed HTTP data, which is straightforward, but no public proof-of-concept has been disclosed as of the advisory.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 8.0.2
Vendor Advisory: https://github.com/OISF/suricata/security/advisories/GHSA-r5jf-v2gx-gx8w
Restart Required: Yes
Instructions:
1. Download Suricata version 8.0.2 from the official repository. 2. Follow the installation instructions for your OS to upgrade. 3. Restart the Suricata service to apply the patch.
🔧 Temporary Workarounds
Disable LZMA decompression
allPrevents processing of LZMA-compressed HTTP data to avoid triggering the vulnerability.
Edit Suricata configuration file (e.g., suricata.yaml) and set 'decompression-lzma: no' under the 'http' section.
Limit response-body-limit size
allRestricts the maximum size of decompressed HTTP responses to mitigate memory growth.
Edit Suricata configuration file and set 'response-body-limit' to a lower value, e.g., 'response-body-limit: 1mb'.
🧯 If You Can't Patch
- Implement network segmentation to isolate Suricata from untrusted traffic sources.
- Monitor system memory usage and logs for signs of abnormal growth, and have an incident response plan ready.
🔍 How to Verify
Check if Vulnerable:
Check the Suricata version by running 'suricata --build-info' and verify if it is between 8.0.0 and 8.0.1.Check Version:
suricata --build-info | grep 'Version'Verify Fix Applied:
After patching, confirm the version is 8.0.2 or higher using 'suricata --build-info' and test with sample compressed HTTP traffic to ensure no memory issues.📡 Detection & Monitoring
Log Indicators:
- Unusual memory usage spikes in system logs
- Suricata process crashes or restarts in application logs
Network Indicators:
- High volume of compressed HTTP requests to Suricata instances
- Abnormal traffic patterns targeting Suricata ports
SIEM Query:
Example: 'source="suricata" AND (event_type="alert" AND alert.signature_id=* AND alert.category="Generic Protocol Command Decode")' adjusted for memory-related alerts.