CVE-2025-54805 is a vulnerability classified under CWE-401 (Missing Release of Memory after Effective Lifetime) affecting F5 BIG-IP Next SPK version 1.7.0. The flaw arises when an iRule is configured on a virtual server using the declarative API. Upon re-instantiation of the iRule, the cleanup process fails to properly release allocated memory within the Traffic Management Microkernel (TMM), which is responsible for handling network traffic management tasks. This memory leak causes a gradual increase in TMM's memory resource utilization, potentially leading to exhaustion of available memory resources. The vulnerability does not affect confidentiality or integrity but impacts availability by risking denial of service conditions due to resource depletion. Exploitation requires network access and privileges sufficient to configure iRules on the virtual server, but no user interaction is needed. The CVSS v3.1 base score is 6.5, reflecting medium severity with network attack vector, low attack complexity, and no privileges required beyond configuration rights. No public exploits or active exploitation have been reported to date. The vulnerability affects only version 1.7.0 of BIG-IP Next SPK, and versions that have reached End of Technical Support (EoTS) are not evaluated. No patches are currently linked, indicating that mitigation may rely on vendor updates or configuration workarounds.

The primary impact of CVE-2025-54805 is on the availability of F5 BIG-IP Next SPK systems. The memory leak in the TMM component can cause progressive memory exhaustion, leading to degraded performance or complete denial of service of the virtual server managing network traffic. This can disrupt critical network services, including load balancing, application delivery, and security functions that BIG-IP devices typically provide. Organizations relying on BIG-IP Next SPK for high availability and traffic management may experience outages or degraded service quality, impacting business continuity and user experience. Since the vulnerability does not affect confidentiality or integrity, data breaches or unauthorized data modification are not direct concerns. However, denial of service in network infrastructure can indirectly affect overall security posture by reducing defense capabilities. The requirement for privileges to configure iRules limits exploitation to insiders or attackers who have gained administrative access, reducing the likelihood of widespread exploitation but increasing risk in compromised environments.

To mitigate CVE-2025-54805, organizations should first verify if they are running F5 BIG-IP Next SPK version 1.7.0 with iRules configured via the declarative API. Until a vendor patch is released, administrators should minimize re-instantiation of iRules or avoid frequent changes that trigger the cleanup process causing the memory leak. Monitoring TMM memory usage closely with automated alerts can help detect abnormal increases early. Restrict administrative access to the declarative API and iRule configuration to trusted personnel only, employing strong authentication and role-based access controls. Consider implementing network segmentation to limit exposure of management interfaces. If possible, upgrade to a later version of BIG-IP Next SPK once a fix is available or apply any vendor-provided workarounds. Regularly review F5 security advisories for updates. Additionally, conducting periodic memory usage audits and stress tests can help identify potential resource exhaustion scenarios before impacting production environments.