CVE-2025-54858 is a vulnerability classified under CWE-674 (Uncontrolled Recursion) affecting F5 BIG-IP Advanced WAF and ASM modules. The issue occurs when a security policy is configured with a JSON content profile containing a malformed JSON schema and applied to a virtual server. Under these conditions, certain crafted requests can trigger uncontrolled recursion within the bd process, a core component responsible for processing security policies. This recursion leads to stack exhaustion and ultimately causes the bd process to terminate unexpectedly, resulting in a denial of service (DoS) condition. The vulnerability affects multiple recent BIG-IP versions (15.1.0, 16.1.0, 17.1.0, and 17.5.0), all of which are still under support. The CVSS v3.1 base score is 7.5, reflecting high severity due to the ease of remote exploitation without authentication or user interaction and the impact on availability. The vulnerability does not impact confidentiality or integrity, as it does not allow data leakage or unauthorized modification. No public exploits or active exploitation have been reported to date. The root cause is improper handling of malformed JSON schemas leading to uncontrolled recursion, a classic programming flaw that can be mitigated by input validation and recursion control. Since the bd process is critical for enforcing security policies, its termination can disrupt web application firewall protections and potentially expose backend services to unfiltered traffic.

The primary impact of CVE-2025-54858 is denial of service due to the termination of the bd process in F5 BIG-IP devices. This can cause temporary or prolonged unavailability of the security policy enforcement, potentially exposing protected applications to direct attacks or traffic without inspection. Organizations relying on BIG-IP Advanced WAF or ASM for critical application security may experience service disruptions, degraded security posture, and increased risk of downstream attacks. The vulnerability affects multiple widely deployed BIG-IP versions, increasing the scope of potential impact globally. Since exploitation requires no authentication and can be triggered remotely, attackers can cause outages without prior access. This can lead to operational downtime, loss of customer trust, and potential financial losses. However, the vulnerability does not allow data theft or modification, limiting the impact to availability. The lack of known exploits in the wild suggests limited immediate threat, but the high severity score warrants proactive mitigation. Enterprises in sectors such as finance, healthcare, government, and telecommunications that depend heavily on F5 BIG-IP for application delivery and security are particularly at risk.

To mitigate CVE-2025-54858, organizations should first verify if their BIG-IP deployments use Advanced WAF or ASM modules with JSON content profiles containing malformed JSON schemas. Immediate steps include reviewing and correcting JSON schema configurations to ensure they are well-formed and validated before applying security policies. Administrators should avoid deploying policies with unverified or complex JSON schemas that could trigger recursion. Applying vendor patches or updates as soon as they become available is critical, even though no patches are currently listed, monitoring F5 advisories for updates is necessary. As a temporary workaround, disabling or removing JSON content profiles from security policies can reduce exposure. Network-level protections such as rate limiting and anomaly detection can help identify and block malformed requests targeting this vulnerability. Regularly auditing BIG-IP configurations and employing automated schema validation tools can prevent recurrence. Additionally, implementing redundancy and failover mechanisms for BIG-IP devices can minimize service disruption if the bd process terminates unexpectedly. Finally, maintaining up-to-date backups and incident response plans will aid in rapid recovery if exploitation occurs.