CVE-2025-59147 | THREATINT

Description

Suricata is a network IDS, IPS and NSM engine developed by the OISF (Open Information Security Foundation) and the Suricata community. Versions 7.0.11 and below, as well as 8.0.0, are vulnerable to detection bypass when crafted traffic sends multiple SYN packets with different sequence numbers within the same flow tuple, which can cause Suricata to fail to pick up the TCP session. In IDS mode this can lead to a detection and logging bypass. In IPS mode this will lead to the flow getting blocked. This issue is fixed in versions 7.0.12 and 8.0.1.

PUBLISHED Reserved 2025-09-09 | Published 2025-10-01 | Updated 2025-10-01 | Assigner GitHub_M

HIGH: 7.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Problem types

CWE-358: Improperly Implemented Security Check for Standard

Product status

< 7.0.12

affected

>= 8.0.0, < 8.0.1

affected

References

github.com/...ricata/security/advisories/GHSA-v8hv-6v7x-4c2r

github.com/...ommit/be6315dba0d9101b11d16e9dacfe2822b3792f1b

github.com/...ommit/e91b03c90385db15e21cf1a0e85b921bf92b039e

forum.suricata.io/t/suricata-8-0-1-and-7-0-12-released/6018

cve.org (CVE-2025-59147)

nvd.nist.gov (CVE-2025-59147)

Download JSON