CVE-2025-59147
BaseFortify
Publication date: 2025-10-01
Last updated on: 2025-10-06
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| oisf | suricata | to 7.0.12 (exc) |
| oisf | suricata | 8.0.0 |
| oisf | suricata | 8.0.0 |
| oisf | suricata | 8.0.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-358 | The product does not implement or incorrectly implements one or more security-relevant checks as specified by the design of a standardized algorithm, protocol, or technique. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability affects Suricata versions 7.0.11 and below, as well as 8.0.0. It allows an attacker to bypass detection by sending multiple SYN packets with different sequence numbers within the same flow tuple. This causes Suricata to fail to recognize the TCP session properly. In IDS mode, this leads to detection and logging bypass, while in IPS mode, the flow gets blocked. The issue is fixed in versions 7.0.12 and 8.0.1.
How can this vulnerability impact me? :
If you use Suricata in IDS mode, this vulnerability can allow attackers to bypass detection and logging, potentially letting malicious traffic go unnoticed. In IPS mode, it can cause legitimate flows to be blocked incorrectly. This can impact network security monitoring and intrusion prevention effectiveness.
What immediate steps should I take to mitigate this vulnerability?
Upgrade Suricata to version 7.0.12 or 8.0.1 or later, as these versions contain the fix for this vulnerability.