CVE-2025-58474 is a vulnerability classified under CWE-770, which concerns the allocation of resources without proper limits or throttling, leading to potential denial of service (DoS) conditions. This issue specifically affects F5 BIG-IP version 17.1.0 when configured with Advanced Web Application Firewall (WAF) features that include Server-Side Request Forgery (SSRF) protection or when an NGINX server is configured with App Protect Bot Defense. The vulnerability arises because the system does not adequately limit or throttle resource allocation for certain undisclosed requests, which can be crafted to consume excessive resources. This results in disruption of new client requests, effectively denying service to legitimate users. The CVSS v3.1 score is 5.3 (medium), reflecting a network attack vector with low complexity, no privileges required, and no user interaction needed. The impact is limited to availability, with no confidentiality or integrity loss. No known exploits have been reported in the wild, and no patches are currently available, though the vendor has published the vulnerability details. The vulnerability does not affect versions that have reached End of Technical Support (EoTS).

For European organizations, the primary impact of CVE-2025-58474 is a denial of service condition that disrupts availability of services protected by F5 BIG-IP Advanced WAF or NGINX App Protect Bot Defense. This can affect web-facing applications, potentially causing downtime or degraded performance. Critical sectors such as finance, healthcare, telecommunications, and government services that rely on BIG-IP for security and traffic management are at risk of service interruptions. The lack of confidentiality or integrity impact reduces the risk of data breaches but availability disruptions can lead to operational losses, reputational damage, and regulatory compliance issues under GDPR if services become unavailable. Since exploitation requires no authentication and can be performed remotely, attackers can launch DoS attacks from anywhere, increasing the threat surface. Organizations using version 17.1.0 with the specified configurations should consider this a significant availability risk until mitigations or patches are applied.

1. Monitor resource utilization closely on BIG-IP devices, especially when Advanced WAF with SSRF protection or NGINX App Protect Bot Defense is enabled, to detect abnormal spikes indicative of exploitation attempts. 2. Implement network-level rate limiting and filtering to restrict potentially malicious traffic patterns targeting the vulnerable configurations. 3. Restrict administrative and management interface access to trusted networks and use strong authentication and network segmentation to reduce attack vectors. 4. Deploy Web Application Firewall rules to detect and block suspicious request patterns that could trigger resource exhaustion. 5. Maintain up-to-date backups and incident response plans to quickly recover from potential service disruptions. 6. Engage with F5 support and monitor their advisories for patches or updates addressing this vulnerability and apply them promptly once available. 7. Consider temporary disabling or reconfiguring SSRF protection or App Protect Bot Defense features if feasible and if the risk of exploitation outweighs the benefits until a patch is released.