CVE-2025-62603

EPSS 0.03%
Veröffentlicht 03.02.2026 19:23:38
Zuletzt bearbeitet 04.02.2026 16:33:44
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Fast DDS is a C++ implementation of the DDS (Data Distribution Service) standard of the OMG (Object Management Group
). ParticipantGenericMessage is the DDS Security control-message container that carries not only the handshake but also on
going security-control traffic after the handshake, such as crypto-token exchange, rekeying, re-authentication, and token 
delivery for newly appearing endpoints. On receive, the CDR parser is invoked first and deserializes the `message_data` (i
.e., the `DataHolderSeq`) via the `readParticipantGenericMessage → readDataHolderSeq` path. The `DataHolderSeq` is parsed 
sequentially: a sequence count (`uint32`), and for each DataHolder the `class_id` string (e.g. `DDS:Auth:PKI-DH:1.0+Req`),
 string properties (a sequence of key/value pairs), and binary properties (a name plus an octet-vector). The parser operat
es at a stateless level and does not know higher-layer state (for example, whether the handshake has already completed), s
o it fully unfolds the structure before distinguishing legitimate from malformed traffic. Because RTPS permits duplicates,
 delays, and retransmissions, a receiver must perform at least minimal structural parsing to check identity and sequence n
umbers before discarding or processing a message; the current implementation, however, does not "peek" only at a minimal
 header and instead parses the entire `DataHolderSeq`. As a result, prior to versions 3.4.1, 3.3.1, and 2.6.11, this parsi
ng behavior can trigger an out-of-memory condition and remotely terminate the process. Versions 3.4.1, 3.3.1, and 2.6.11 p
atch the issue.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 7

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

Diese Information steht angemeldeten Benutzern zur Verfügung.

Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).

HerstellereProsima

≫

Produkt Fast-DDS

Default Statusunaffected

Version < 3.4.1

Version 3.4.0

Status affected

Version < 3.3.1

Version 3.0.0

Status affected

Version < 2.6.11

Version 0

Status affected

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.03%	0.073

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security-advisories@github.com	1.7	0	0	CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CWE-125 Out-of-bounds Read

The product reads data past the end, or before the beginning, of the intended buffer.

https://github.com/eProsima/Fast-DDS/commit/354218514d32beac963ff5c306f1cf159ee37c5f

https://github.com/eProsima/Fast-DDS/commit/ced3b6f92d928af1eae77d5fe889878128ad421a

https://github.com/eProsima/Fast-DDS/commit/a726e6a5daba660418d1f7c05b6f203c17747d2b

https://security-tracker.debian.org/tracker/CVE-2025-62603

https://nvd.nist.gov/vuln/detail/CVE-2025-62603

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-62603

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-62603

EUVD