CVE-2025-64344 – A stack overflow vulnerability in Suricata's Lu... (How to Fix)

Q: What is the severity of CVE-2025-64344?

CVE-2025-64344 has a CVSS score of 7.5 (HIGH). A stack overflow vulnerability in Suricata's Lua scripting engine allows attackers to cause denial of service or potentially execute arbitrary code by passing large buffers to Lua scripts. This affects users who have Lua rules or output scripts enabled in their Suricata configuration. The vulnerability is present in Suricata versions before 7.0.13 and 8.0.2.

📋 TL;DR

A stack overflow vulnerability in Suricata's Lua scripting engine allows attackers to cause denial of service or potentially execute arbitrary code by passing large buffers to Lua scripts. This affects users who have Lua rules or output scripts enabled in their Suricata configuration. The vulnerability is present in Suricata versions before 7.0.13 and 8.0.2.

💻 Affected Systems

Products:

Suricata

Versions: All versions before 7.0.13 and 8.0.2

Operating Systems: All operating systems running Suricata

Default Config Vulnerable: ✅ No

Notes: Only vulnerable if Lua rules or output scripts are enabled in configuration. Default installations typically have Lua disabled.

📦 What is this software?

Suricata by Oisf

View all CVEs affecting Suricata →

Suricata by Oisf

View all CVEs affecting Suricata →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, allowing attackers to take control of the Suricata host and potentially pivot to other systems.

🟠

Likely Case

Denial of service causing Suricata to crash, disrupting network monitoring and intrusion detection capabilities.

🟢

If Mitigated

Minimal impact with proper buffer limits configured or Lua scripting disabled.

🌐 Internet-Facing: MEDIUM - Suricata typically monitors network traffic, but exploitation requires specially crafted traffic reaching the vulnerable Lua scripts.

🏢 Internal Only: MEDIUM - Same risk applies to internal network monitoring, though attack surface may be more limited.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires sending specially crafted network traffic that triggers Lua scripts with large buffers. No public exploit code is currently available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 7.0.13 or 8.0.2

Vendor Advisory: https://github.com/OISF/suricata/security/advisories/GHSA-93fh-cgmc-w3rx

Restart Required: Yes

Instructions:

1. Download Suricata 7.0.13 or 8.0.2 from official sources. 2. Stop Suricata service. 3. Install the updated version. 4. Restart Suricata service. 5. Verify the new version is running.

🔧 Temporary Workarounds

Disable Lua scripting

all

Completely disable Lua rules and output scripts in Suricata configuration

Edit suricata.yaml and set 'lua:' section to disabled or remove Lua script references

Configure buffer limits

all

Set stream.depth.reassembly and HTTP response body limits to less than half the stack size

Edit suricata.yaml and add: stream:
  depth:
    reassembly: [VALUE]
app-layer:
  protocols:
    http:
      response-body-limit: [VALUE]

🧯 If You Can't Patch

Disable all Lua rules and output scripts immediately
Implement strict network segmentation to limit traffic reaching Suricata instances

🔍 How to Verify

Check if Vulnerable:

Check Suricata version and Lua configuration: suricata --build-info | grep version && grep -i lua /etc/suricata/suricata.yaml

Check Version:

suricata --build-info | grep version

Verify Fix Applied:

Verify version is 7.0.13 or higher (for 7.x) or 8.0.2 or higher (for 8.x): suricata --build-info | grep version

📡 Detection & Monitoring

Log Indicators:

Suricata crash logs
Segmentation fault errors in system logs
Unexpected Suricata service restarts

Network Indicators:

Large buffer payloads targeting Suricata
Unusual traffic patterns designed to trigger Lua scripts

SIEM Query:

source="suricata" AND ("segmentation fault" OR "crash" OR "stack overflow")

📊 Metadata

CVE ID: CVE-2025-64344

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-121

EPSS Score: 0.07% exploit probability (21.1th percentile)

Published: November 26, 2025

Last Updated: December 3, 2025

🔗 References

https://github.com/OISF/suricata/commit/e13fe6a90dba210a478148c4084f6f5db17c5b5a Patch
https://github.com/OISF/suricata/security/advisories/GHSA-93fh-cgmc-w3rx Issue Tracking,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-64344, you might also want to check these: