CVE-2025-53538
Suricata's mishandling of data on HTTP2 stream 0 can lead to resource starvation
Severity Score
7.5
*CVSS v3.1
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
0
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
Track
*SSVC
Descriptions
Suricata is a network IDS, IPS and NSM engine developed by the OISF (Open Information Security Foundation) and the Suricata community. In versions 7.0.10 and below and 8.0.0-beta1 through 8.0.0-rc1, mishandling of data on HTTP2 stream 0 can lead to uncontrolled memory usage, leading to loss of visibility. Workarounds include disabling the HTTP/2 parser, and using a signature like drop http2 any any -> any any (frame:http2.hdr; byte_test:1,=,0,3; byte_test:4,=,0,5; sid: 1;) where the first byte test tests the HTTP2 frame type DATA and the second tests the stream id 0. This is fixed in versions 7.0.11 and 8.0.0.
*Credits:
N/A
CVSS Scores
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Authentication
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:Track
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2025-07-02 CVE Reserved
- 2025-07-08 CVE Published
- 2025-07-23 CVE Updated
- 2025-08-23 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-400: Uncontrolled Resource Consumption
- CWE-770: Allocation of Resources Without Limits or Throttling
CAPEC
References (3)
| URL | Tag | Source |
|---|---|---|
| https://github.com/OISF/suricata/commit/1d6d331752e933c46aca0ae7a9679b27462246e3 | X_refsource_misc | |
| https://github.com/OISF/suricata/commit/7fa88ea9e7d05e07a7864050cfd836b576669720 | X_refsource_misc | |
| https://github.com/OISF/suricata/security/advisories/GHSA-qrr7-crgj-cmh3 | X_refsource_confirm |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| OISF Search vendor "OISF" | Suricata Search vendor "OISF" for product "Suricata" | < 7.0.11 Search vendor "OISF" for product "Suricata" and version " < 7.0.11" | en |
Affected
| ||||||
| OISF Search vendor "OISF" | Suricata Search vendor "OISF" for product "Suricata" | 8.0.0 Search vendor "OISF" for product "Suricata" and version "8.0.0" | en |
Affected
| ||||||