Suricata is vulnerable to a stack overflow from unbounded stack...

7.5 / 10

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Description

Suricata is a network IDS, IPS and NSM engine developed by the OISF (Open Information Security Foundation) and the Suricata community. Prior to versions 7.0.13 and 8.0.2, working with large buffers in Lua scripts can lead to a stack overflow. Users of Lua rules and output scripts may be affected when working with large buffers. This includes a rule passing a large buffer to a Lua script. This issue has been patched in versions 7.0.13 and 8.0.2. A workaround for this issue involves disabling Lua rules and output scripts, or making sure limits, such as stream.depth.reassembly and HTTP response body limits (response-body-limit), are set to less than half the stack size.

Basic Information

ID CVE-2025-64344

Source GitHub_M

Published Nov 26, 2025 at 23:05

Affected Product

Vendor OISF

Product suricata

Version < 7.0.13

Affected Versions OISF suricata < 7.0.13
OISF suricata < 8.0.2

CWE Classification

CWE-121

References

{
    "lastseen": "",
    "description": "Suricata is a network IDS, IPS and NSM engine developed by the OISF (Open Information Security Foundation) and the Suricata community. Prior to versions 7.0.13 and 8.0.2, working with large buffers in Lua scripts can lead to a stack overflow. Users of Lua rules and output scripts may be affected when working with large buffers. This includes a rule passing a large buffer to a Lua script. This issue has been patched in versions 7.0.13 and 8.0.2. A workaround for this issue involves disabling Lua rules and output scripts, or making sure limits, such as stream.depth.reassembly and HTTP response body limits (response-body-limit), are set to less than half the stack size.",
    "published": "2025-11-26T23:05:33.333Z",
    "modified": "2025-11-26T23:05:33.333Z",
    "type": "cve",
    "title": "Suricata is vulnerable to a stack overflow from unbounded stack allocation in LuaPushStringBuffer",
    "source": "GitHub_M",
    "references": "https://github.com/OISF/suricata/security/advisories/GHSA-93fh-cgmc-w3rx\nhttps://github.com/OISF/suricata/commit/e13fe6a90dba210a478148c4084f6f5db17c5b5a",
    "id": "CVE-2025-64344",
    "bulletinFamily": "",
    "cwe": [
        "CWE-121"
    ],
    "cvelist": null,
    "sourceData": "OISF suricata < 7.0.13\nOISF suricata < 8.0.2",
    "sourceHref": "",
    "cvss": {
        "score": 7.5,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "suricata",
    "version": "< 7.0.13",
    "vendor": "OISF",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Suricata is vulnerable to a stack overflow from unbounded stack allocation in LuaPushStringBuffer_CVE-2025-64344