CVE-2025-59147Improperly Implemented Security Check for Standard in Suricata

CWE-358Improperly Implemented Security Check for Standard4 documents4 sources
Severity
7.5HIGHNVD
EPSS
0.1%
top 82.77%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Oisf Suricata
Timeline
PublishedOct 1

Description

Suricata is a network IDS, IPS and NSM engine developed by the OISF (Open Information Security Foundation) and the Suricata community. Versions 7.0.11 and below, as well as 8.0.0, are vulnerable to detection bypass when crafted traffic sends multiple SYN packets with different sequence numbers within the same flow tuple, which can cause Suricata to fail to pick up the TCP session. In IDS mode this can lead to a detection and logging bypass. In IPS mode this will lead to the flow getting blocked.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages3 packages

CVEListV5oisf/suricata< 7.0.12+1
NVDoisf/suricata< 7.0.12+1
Debianoisf/suricata< 1:7.0.10-1+deb13u1+1

Patches

Patch: github.comPatch: github.com

🔴Vulnerability Details

2
CVEList
Suricata is Vulnerable to Detection Bypass via Crafted Multiple SYN Packets2025-10-01
OSV
CVE-2025-59147: Suricata is a network IDS, IPS and NSM engine developed by the OISF (Open Information Security Foundation) and the Suricata community2025-10-01

📋Vendor Advisories

1
Debian
CVE-2025-59147: suricata - Suricata is a network IDS, IPS and NSM engine developed by the OISF (Open Inform...2025
CVE-2025-59147 — Oisf Suricata vulnerability | cvebase