CVE-2025-24807Insufficient Verification of Data Authenticity in Fast-dds

CWE-345Insufficient Verification of Data AuthenticityCWE-1333Regex Denial of Service5 documents5 sources
Severity
4.5MEDIUMNVD
EPSS
0.1%
top 75.29%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Eprosima Fast-ddsEprosima Fast DDS
Timeline
PublishedFeb 11

Description

eprosima Fast DDS is a C++ implementation of the DDS (Data Distribution Service) standard of the OMG (Object Management Group). Prior to versions 2.6.10, 2.10.7, 2.14.5, 3.0.2, 3.1.2, and 3.2.0, per design, PermissionsCA is not full chain validated, nor is the expiration date validated. Access control plugin validates only the S/MIME signature which causes an expired PermissionsCA to be taken as valid. Even though this issue is responsible for allowing `governance/permissions` from an expired Pe

CVSS vector

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N

Affected Packages2 packages

CVEListV5eprosima/fast-dds< 2.6.10+4
NVDeprosima/fast_dds2.10.02.10.7+4

Patches

Patch: github.com

🔴Vulnerability Details

2
CVEList
Fast DDS does not verify Permissions CA2025-02-11
OSV
CVE-2025-24807: eprosima Fast DDS is a C++ implementation of the DDS (Data Distribution Service) standard of the OMG (Object Management Group)2025-02-11

📋Vendor Advisories

2
Debian
CVE-2025-24807: fastdds - eprosima Fast DDS is a C++ implementation of the DDS (Data Distribution Service)...2025
Microsoft
Undici vulnerable to Regular Expression Denial of Service in Headers2023-02-14
CVE-2025-24807 — Eprosima Fast-dds vulnerability | cvebase