CVE-2025-65409 – A divide-by-zero vulnerability in GNU Recutils ... (How to Fix)

Q: What is the severity of CVE-2025-65409?

CVE-2025-65409 has a CVSS score of 7.5 (HIGH). A divide-by-zero vulnerability in GNU Recutils v1.9 encryption/decryption routines allows attackers to cause a Denial of Service (DoS) by providing an empty password value. This affects systems using Recutils for data encryption/decryption operations. The vulnerability can crash the application, disrupting data processing functionality.

📋 TL;DR

A divide-by-zero vulnerability in GNU Recutils v1.9 encryption/decryption routines allows attackers to cause a Denial of Service (DoS) by providing an empty password value. This affects systems using Recutils for data encryption/decryption operations. The vulnerability can crash the application, disrupting data processing functionality.

💻 Affected Systems

Products:

GNU Recutils

Versions: Version 1.9 specifically

Operating Systems: Linux, Unix-like systems, Cross-platform where Recutils is compiled

Default Config Vulnerable: ⚠️ Yes

Notes: Only vulnerable when using encryption/decryption features with password-based operations. Systems not using these features may not be affected.

📦 What is this software?

Recutils by Gnu

View all CVEs affecting Recutils →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete application crash leading to service unavailability, potential data corruption if encryption/decryption operations are interrupted during critical processes.

🟠

Likely Case

Application crash when processing encrypted data with empty passwords, requiring manual restart and causing temporary service disruption.

🟢

If Mitigated

Minimal impact with proper input validation and error handling in place; application gracefully handles malformed input without crashing.

🌐 Internet-Facing: MEDIUM - Only affects systems where Recutils processes user-controlled input for encryption/decryption, which may be exposed through web interfaces or APIs.

🏢 Internal Only: LOW - Primarily affects administrative or data processing tools using Recutils internally; requires specific conditions to trigger.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires ability to provide input to encryption/decryption routines; trivial to trigger with empty password input.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check latest version from GNU repositories (likely v1.9.1 or later)

Vendor Advisory: https://lists.gnu.org/archive/html/bug-recutils/2025-10/msg00004.html

Restart Required: Yes

Instructions:

1. Download latest Recutils from http://ftp.gnu.org/gnu/recutils/ 2. Compile and install following GNU instructions 3. Restart any services using Recutils

🔧 Temporary Workarounds

Input Validation Wrapper

linux

Implement pre-processing script to validate password inputs before passing to Recutils

#!/bin/bash
if [ -z "$PASSWORD" ]; then
    echo "Error: Password cannot be empty"
    exit 1
fi
# Continue with recutils command

Disable Encryption Features

all

Temporarily disable encryption/decryption functionality if not required

# Modify application configuration to avoid using recutils encryption features

🧯 If You Can't Patch

Implement strict input validation to reject empty passwords before reaching Recutils
Monitor application logs for crash events and implement automatic restart mechanisms

🔍 How to Verify

Check if Vulnerable:

Check Recutils version: recutils --version | grep '1.9' and test with empty password input to encryption function

Check Version:

recutils --version

Verify Fix Applied:

Test with empty password input after patch; application should handle gracefully without crashing

📡 Detection & Monitoring

Log Indicators:

Application crash logs
Segmentation fault errors
Divide by zero exceptions in system logs

Network Indicators:

Sudden service unavailability
Failed encryption/decryption API calls

SIEM Query:

source="application.logs" AND ("segmentation fault" OR "divide by zero" OR "recutils crash")

📊 Metadata

CVE ID: CVE-2025-65409

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-369

EPSS Score: 0.06% exploit probability (18.6th percentile)

Published: December 30, 2025

Last Updated: January 9, 2026

🔗 References

http://ftp.gnu.org/gnu/recutils/ Product
https://github.com/MAXEUR5/Vulnerability_Disclosures/blob/main/2025/CVE-2025-65409.md Exploit,Third Party Advisory
https://lists.gnu.org/archive/html/bug-recutils/2025-10/msg00004.html Mailing List,Patch
https://www.gnu.org/software/recutils/ Product
https://github.com/MAXEUR5/Vulnerability_Disclosures/blob/main/2025/CVE-2025-65409.md Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-65409, you might also want to check these: