CVE-2025-62599 is a security vulnerability identified in eProsima Fast-DDS, a widely used C++ implementation of the Object Management Group's Data Distribution Service (DDS) standard. The flaw exists in versions prior to 3.4.1, 3.3.1, and 2.6.11 when the security mode is enabled. Specifically, the vulnerability arises from improper handling of the DATA Submessage within the SPDP (Simple Participant Discovery Protocol) packets sent by publishers. By tampering with the length field in the readPropertySeq of the PID_IDENTITY_TOKEN or PID_PERMISSION_TOKEN fields within the DATA Submessage, an integer overflow (CWE-190) occurs. This overflow leads to an out-of-memory (OOM) condition during a resize operation, causing the Fast-DDS process to terminate unexpectedly. The vulnerability is a denial-of-service type, as it results in remote termination of the service without requiring authentication or user interaction. The CVSS 4.0 base score is 1.7, reflecting low severity due to limited impact and exploitation complexity. No known exploits are currently reported in the wild. The root cause is an integer overflow that triggers an out-of-bounds memory allocation attempt (CWE-125), which can be mitigated by proper input validation and bounds checking. The vendor has addressed the issue in versions 3.4.1, 3.3.1, and 2.6.11.

The primary impact of CVE-2025-62599 is denial of service through remote termination of Fast-DDS processes. For European organizations relying on Fast-DDS for real-time data distribution in critical infrastructure, industrial automation, automotive systems, or defense applications, this could lead to temporary loss of communication or system availability. While the vulnerability does not allow unauthorized data access or code execution, disruption of DDS middleware can affect operational continuity, safety systems, and data integrity indirectly. The low CVSS score indicates limited risk, but in environments where high availability is essential, even short outages can have significant operational or financial consequences. European organizations with deployments in sectors such as manufacturing, automotive, aerospace, and smart grid systems should consider the potential impact on their distributed systems and plan accordingly.

To mitigate CVE-2025-62599, European organizations should promptly update eProsima Fast-DDS to versions 3.4.1, 3.3.1, or 2.6.11 or later, where the vulnerability is patched. In environments where immediate patching is not feasible, network-level controls should be implemented to restrict or monitor SPDP traffic from untrusted sources to prevent malicious packet injection. Additionally, organizations should enable logging and anomaly detection on DDS communications to identify unusual or malformed DATA Submessages. Security mode should be configured carefully, and input validation mechanisms should be reviewed to ensure robustness against malformed tokens. Regular vulnerability scanning and integration of Fast-DDS updates into the software supply chain management process will reduce exposure. Finally, conducting resilience testing and failover planning for DDS-dependent systems will help mitigate operational impact from potential denial-of-service events.