CVE-2025-53538

CVE-2025-53538

Name

CVE-2025-53538

Description

Suricata is a network IDS, IPS and NSM engine developed by the OISF (Open Information Security Foundation) and the Suricata community. In versions 7.0.10 and below and 8.0.0-beta1 through 8.0.0-rc1, mishandling of data on HTTP2 stream 0 can lead to uncontrolled memory usage, leading to loss of visibility. Workarounds include disabling the HTTP/2 parser, and using a signature like drop http2 any any -> any any (frame:http2.hdr; byte_test:1,=,0,3; byte_test:4,=,0,5; sid: 1;) where the first byte test tests the HTTP2 frame type DATA and the second tests the stream id 0. This is fixed in versions 7.0.11 and 8.0.0.

NVD Severity

unknown

Other trackers

CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia

Mailing lists

oss-security, full-disclosure, bugtraq

Exploits

Exploit DB, Metasploit

Forges

GitHub (code, issues), Aports (code, issues)

Type	URI
MISC	https://github.com/OISF/suricata/commit/1d6d331752e933c46aca0ae7a9679b27462246e3
MISC	https://github.com/OISF/suricata/commit/7fa88ea9e7d05e07a7864050cfd836b576669720
CONFIRM	https://github.com/OISF/suricata/security/advisories/GHSA-qrr7-crgj-cmh3

Type

URI

MISC

https://github.com/OISF/suricata/commit/1d6d331752e933c46aca0ae7a9679b27462246e3

MISC

https://github.com/OISF/suricata/commit/7fa88ea9e7d05e07a7864050cfd836b576669720

CONFIRM

https://github.com/OISF/suricata/security/advisories/GHSA-qrr7-crgj-cmh3

Match rules

CPE URI	Source package	Min version	Max version
	suricata	>= 0	< 7.0.11
	suricata	>= 8.0.0-beta1	< 8.0.0
`cpe:2.3:a:oisf:suricata::::::::`	suricata	>= None	< 7.0.11
`cpe:2.3:a:oisf:suricata:8.0.0:beta1::::::`	suricata	== None	== 8.0.0

CPE URI

Source package

Min version

Max version

suricata

>= 0

< 7.0.11

suricata

>= 8.0.0-beta1

< 8.0.0

cpe:2.3:a:oisf:suricata:*:*:*:*:*:*:*:*

suricata

>= None

< 7.0.11

cpe:2.3:a:oisf:suricata:8.0.0:beta1:*:*:*:*:*:*

suricata

== None

== 8.0.0

Vulnerable and fixed packages

Source package	Branch	Version	Maintainer	Status
suricata	edge-community	8.0.0-r0	Steve McMaster <steve@mcmaster.io>	possibly vulnerable
suricata	edge-community	7.0.10-r1	Steve McMaster <steve@mcmaster.io>	possibly vulnerable
suricata	edge-community	7.0.10-r0	Steve McMaster <steve@mcmaster.io>	possibly vulnerable
suricata	edge-community	7.0.8-r0	Steve McMaster <code@mcmaster.io>	possibly vulnerable
suricata	edge-community	7.0.7-r0	Steve McMaster <code@mcmaster.io>	possibly vulnerable
suricata	edge-community	7.0.6-r0	Steve McMaster <code@mcmaster.io>	possibly vulnerable
suricata	edge-community	6.0.4-r0	Steve McMaster <code@mcmaster.io>	possibly vulnerable
suricata	edge-community	6.0.3-r0	Steve McMaster <code@mcmaster.io>	possibly vulnerable
suricata	3.23-community	8.0.0-r0	Steve McMaster <steve@mcmaster.io>	possibly vulnerable
suricata	3.22-community	7.0.10-r1	Steve McMaster <steve@mcmaster.io>	possibly vulnerable
suricata	3.22-community	7.0.8-r0	Steve McMaster <code@mcmaster.io>	possibly vulnerable
suricata	3.22-community	7.0.7-r0	None	possibly vulnerable
suricata	3.22-community	7.0.6-r0	None	possibly vulnerable
suricata	3.22-community	6.0.4-r0	None	possibly vulnerable
suricata	3.22-community	6.0.3-r0	None	possibly vulnerable

Source package

Branch

Version

Maintainer

Status

References

Match rules

Vulnerable and fixed packages