FKIE_CVE-2025-62603

Vulnerability from fkie_nvd - Published: 2026-02-03 20:15 - Updated: 2026-02-18 16:11
Severity ?
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Summary
Fast DDS is a C++ implementation of the DDS (Data Distribution Service) standard of the OMG (Object Management Group ). ParticipantGenericMessage is the DDS Security control-message container that carries not only the handshake but also on going security-control traffic after the handshake, such as crypto-token exchange, rekeying, re-authentication, and token delivery for newly appearing endpoints. On receive, the CDR parser is invoked first and deserializes the `message_data` (i .e., the `DataHolderSeq`) via the `readParticipantGenericMessage → readDataHolderSeq` path. The `DataHolderSeq` is parsed sequentially: a sequence count (`uint32`), and for each DataHolder the `class_id` string (e.g. `DDS:Auth:PKI-DH:1.0+Req`), string properties (a sequence of key/value pairs), and binary properties (a name plus an octet-vector). The parser operat es at a stateless level and does not know higher-layer state (for example, whether the handshake has already completed), s o it fully unfolds the structure before distinguishing legitimate from malformed traffic. Because RTPS permits duplicates, delays, and retransmissions, a receiver must perform at least minimal structural parsing to check identity and sequence n umbers before discarding or processing a message; the current implementation, however, does not "peek" only at a minimal header and instead parses the entire `DataHolderSeq`. As a result, prior to versions 3.4.1, 3.3.1, and 2.6.11, this parsi ng behavior can trigger an out-of-memory condition and remotely terminate the process. Versions 3.4.1, 3.3.1, and 2.6.11 p atch the issue.
References
security-advisories@github.comhttps://github.com/eProsima/Fast-DDS/commit/354218514d32beac963ff5c306f1cf159ee37c5fPatch
security-advisories@github.comhttps://github.com/eProsima/Fast-DDS/commit/a726e6a5daba660418d1f7c05b6f203c17747d2bPatch
security-advisories@github.comhttps://github.com/eProsima/Fast-DDS/commit/ced3b6f92d928af1eae77d5fe889878128ad421aPatch
security-advisories@github.comhttps://security-tracker.debian.org/tracker/CVE-2025-62603Third Party Advisory
Impacted products
Vendor Product Version
eprosima fast_dds *
eprosima fast_dds *
eprosima fast_dds 3.4.0
debian debian_linux 11.0
debian debian_linux 12.0
debian debian_linux 13.0
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:eprosima:fast_dds:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "8BAE40E0-6DFF-4878-9438-9C2488C9831C",
              "versionEndExcluding": "2.6.11",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:eprosima:fast_dds:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "94A01F76-524F-4A5B-A782-CC789F229136",
              "versionEndExcluding": "3.3.1",
              "versionStartIncluding": "3.0.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:eprosima:fast_dds:3.4.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "D4452677-95AB-46F9-9B76-9F0B15E62261",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "FA6FEEC2-9F11-4643-8827-749718254FED",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:debian:debian_linux:12.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "46D69DCC-AE4D-4EA5-861C-D60951444C6C",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:debian:debian_linux:13.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "204FC6CC-9DAC-45FB-8A9F-C9C8EDD29D54",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Fast DDS is a C++ implementation of the DDS (Data Distribution Service) standard of the OMG (Object Management Group\n). ParticipantGenericMessage is the DDS Security control-message container that carries not only the handshake but also on\ngoing security-control traffic after the handshake, such as crypto-token exchange, rekeying, re-authentication, and token \ndelivery for newly appearing endpoints. On receive, the CDR parser is invoked first and deserializes the `message_data` (i\n.e., the `DataHolderSeq`) via the `readParticipantGenericMessage \u2192 readDataHolderSeq` path. The `DataHolderSeq` is parsed \nsequentially: a sequence count (`uint32`), and for each DataHolder the `class_id` string (e.g. `DDS:Auth:PKI-DH:1.0+Req`),\n string properties (a sequence of key/value pairs), and binary properties (a name plus an octet-vector). The parser operat\nes at a stateless level and does not know higher-layer state (for example, whether the handshake has already completed), s\no it fully unfolds the structure before distinguishing legitimate from malformed traffic. Because RTPS permits duplicates,\n delays, and retransmissions, a receiver must perform at least minimal structural parsing to check identity and sequence n\numbers before discarding or processing a message; the current implementation, however, does not \"peek\" only at a minimal\n header and instead parses the entire `DataHolderSeq`. As a result, prior to versions 3.4.1, 3.3.1, and 2.6.11, this parsi\nng behavior can trigger an out-of-memory condition and remotely terminate the process. Versions 3.4.1, 3.3.1, and 2.6.11 p\natch the issue."
    },
    {
      "lang": "es",
      "value": "Fast DDS es una implementaci\u00f3n en C++ del est\u00e1ndar DDS (Data Distribution Service) de la OMG (Object Management Group). ParticipantGenericMessage es el contenedor de mensajes de control de DDS Security que transporta no solo el handshake sino tambi\u00e9n el tr\u00e1fico de control de seguridad continuo despu\u00e9s del handshake, como el intercambio de cripto-tokens, el rekeying, la re-autenticaci\u00f3n y la entrega de tokens para los endpoints que aparecen recientemente. Al recibir, el analizador CDR se invoca primero y deserializa el \u0027message_data\u0027 (es decir, el \u0027DataHolderSeq\u0027) a trav\u00e9s de la ruta \u0027readParticipantGenericMessage ? readDataHolderSeq\u0027. El \u0027DataHolderSeq\u0027 se analiza secuencialmente: un recuento de secuencia (\u0027uint32\u0027), y para cada DataHolder la cadena \u0027class_id\u0027 (por ejemplo, \u0027DDS:Auth:PKI-DH:1.0+Req\u0027), propiedades de cadena (una secuencia de pares clave/valor), y propiedades binarias (un nombre m\u00e1s un vector de octetos). El analizador opera a un nivel sin estado y no conoce el estado de capas superiores (por ejemplo, si el handshake ya se ha completado), por lo que despliega completamente la estructura antes de distinguir el tr\u00e1fico leg\u00edtimo del malformado. Debido a que RTPS permite duplicados, retrasos y retransmisiones, un receptor debe realizar al menos un an\u00e1lisis estructural m\u00ednimo para verificar la identidad y los n\u00fameros de secuencia antes de descartar o procesar un mensaje; la implementaci\u00f3n actual, sin embargo, no \u0027echa un vistazo\u0027 solo a una cabecera m\u00ednima y en su lugar analiza todo el \u0027DataHolderSeq\u0027. Como resultado, antes de las versiones 3.4.1, 3.3.1 y 2.6.11, este comportamiento de an\u00e1lisis puede desencadenar una condici\u00f3n de falta de memoria y terminar el proceso de forma remota. Las versiones 3.4.1, 3.3.1 y 2.6.11 parchean el problema."
    }
  ],
  "id": "CVE-2025-62603",
  "lastModified": "2026-02-18T16:11:42.930",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 7.5,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 3.6,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ],
    "cvssMetricV40": [
      {
        "cvssData": {
          "Automatable": "NOT_DEFINED",
          "Recovery": "NOT_DEFINED",
          "Safety": "NOT_DEFINED",
          "attackComplexity": "LOW",
          "attackRequirements": "PRESENT",
          "attackVector": "NETWORK",
          "availabilityRequirement": "NOT_DEFINED",
          "baseScore": 1.7,
          "baseSeverity": "LOW",
          "confidentialityRequirement": "NOT_DEFINED",
          "exploitMaturity": "UNREPORTED",
          "integrityRequirement": "NOT_DEFINED",
          "modifiedAttackComplexity": "NOT_DEFINED",
          "modifiedAttackRequirements": "NOT_DEFINED",
          "modifiedAttackVector": "NOT_DEFINED",
          "modifiedPrivilegesRequired": "NOT_DEFINED",
          "modifiedSubAvailabilityImpact": "NOT_DEFINED",
          "modifiedSubConfidentialityImpact": "NOT_DEFINED",
          "modifiedSubIntegrityImpact": "NOT_DEFINED",
          "modifiedUserInteraction": "NOT_DEFINED",
          "modifiedVulnAvailabilityImpact": "NOT_DEFINED",
          "modifiedVulnConfidentialityImpact": "NOT_DEFINED",
          "modifiedVulnIntegrityImpact": "NOT_DEFINED",
          "privilegesRequired": "NONE",
          "providerUrgency": "NOT_DEFINED",
          "subAvailabilityImpact": "NONE",
          "subConfidentialityImpact": "NONE",
          "subIntegrityImpact": "NONE",
          "userInteraction": "NONE",
          "valueDensity": "NOT_DEFINED",
          "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
          "version": "4.0",
          "vulnAvailabilityImpact": "LOW",
          "vulnConfidentialityImpact": "NONE",
          "vulnIntegrityImpact": "NONE",
          "vulnerabilityResponseEffort": "NOT_DEFINED"
        },
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-02-03T20:15:56.787",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/eProsima/Fast-DDS/commit/354218514d32beac963ff5c306f1cf159ee37c5f"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/eProsima/Fast-DDS/commit/a726e6a5daba660418d1f7c05b6f203c17747d2b"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/eProsima/Fast-DDS/commit/ced3b6f92d928af1eae77d5fe889878128ad421a"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://security-tracker.debian.org/tracker/CVE-2025-62603"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-125"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.