CVE-2025-21594

EPSS 0.1%
Published 09.04.2025 19:49:41
Last modified 11.04.2025 15:40:10
Source sirt@juniper.net
Teams watchlist Login
Open Login

An Improper Check for Unusual or Exceptional Conditions vulnerability in the pfe (packet forwarding engine) of Juniper Networks Junos OS on MX Series causes a port within a pool to be blocked leading to Denial of Service (DoS).

In a DS-Lite (Dual-Stack Lite) and NAT (Network Address Translation) scenario, when crafted IPv6 traffic is received and prefix-length is set to 56, the ports assigned to the user will not be freed.  Eventually, users cannot establish new connections. Affected FPC/PIC need to be manually restarted to recover.
Following is the command to identify the issue: 


    user@host> show services nat source port-block 
    Host_IP                       External_IP                    Port_Block      Ports_Used/        Block_State/
                                                               Range             Ports_Total        Left_Time(s)
    2001::                        x.x.x.x                     58880-59391     256/256*1         Active/-        >>>>>>>>port still usedThis issue affects Junos OS on MX Series: 

  *  from 21.2 before 21.2R3-S8, 
  *  from 21.4 before 21.4R3-S7, 
  *  from 22.1 before 22.1R3-S6, 
  *  from 22.2 before 22.2R3-S4, 
  *  from 22.3 before 22.3R3-S3, 
  *  from 22.4 before 22.4R3-S2, 
  *  from 23.2 before 23.2R2-S1, 
  *  from 23.4 before 23.4R1-S2, 23.4R2.


This issue does not affect versions before 20.2R1.

Affected products Warnungen 0 Metrics 3 CWE 1 References 4

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

This information is available to logged-in users.

Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).

VendorJuniper Networks

≫

Product Junos OS

Default Statusunaffected

Version < 21.2R3-S8

Version 0

Status affected

Version < 21.4R3-S7

Version 21.4

Status affected

Version < 22.1R3-S6

Version 22.1

Status affected

Version < 22.2R3-S4

Version 22.2

Status affected

Version < 22.3R3-S3

Version 22.3

Status affected

Version < 22.4R3-S2

Version 22.4

Status affected

Version < 23.2R2-S1

Version 23.2

Status affected

Version < 23.4R1-S2, 23.4R2

Version 23.4

Status affected

Version < 20.2R1

Version 0

Status unaffected

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.1%	0.284

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
sirt@juniper.net	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
sirt@juniper.net	8.7	0	0	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:U/V:X/RE:X/U:X

CWE-754 Improper Check for Unusual or Exceptional Conditions

The product does not check or incorrectly checks for unusual or exceptional conditions that are not expected to occur frequently during day to day operation of the product.

https://supportportal.juniper.net/JSA96449

https://nvd.nist.gov/vuln/detail/CVE-2025-21594

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-21594

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-21594

EUVD