CVE-2025-62601 is a heap-based buffer overflow vulnerability identified in eProsima Fast-DDS, a C++ implementation of the OMG Data Distribution Service (DDS) standard. The flaw exists in versions prior to 3.4.1, 3.3.1, and 2.6.11 when the security mode is enabled. The vulnerability arises from improper handling of the DATA Submessage within an SPDP packet sent by a publisher. Specifically, if an attacker modifies the PID_IDENTITY_TOKEN or PID_PERMISSIONS_TOKEN fields by tampering with the str_size value read by the readString function (invoked from readBinaryProperty), a 32-bit integer overflow occurs. This overflow causes std::vector::resize to use an attacker-controlled size, leading to a heap buffer overflow. The consequence is a remote process termination of Fast-DDS, effectively a denial-of-service condition. The vulnerability does not require authentication or user interaction and does not impact confidentiality, integrity, or availability beyond process termination. There are no known exploits in the wild. The issue has been patched in versions 3.4.1, 3.3.1, and 2.6.11 of Fast-DDS.

For European organizations, the primary impact of this vulnerability is denial of service through remote termination of Fast-DDS processes. This can disrupt critical real-time communication systems relying on DDS middleware, such as industrial automation, automotive systems, robotics, and defense applications. Disruption in these systems could lead to operational downtime, safety risks, and loss of productivity. Since Fast-DDS is used in environments requiring reliable data distribution, even temporary outages can have significant operational consequences. However, the vulnerability does not allow for code execution or data compromise, limiting its impact to availability. Organizations using affected versions in production environments with security mode enabled are at risk if exposed to untrusted network traffic. The absence of known exploits reduces immediate risk but does not eliminate the need for mitigation.

European organizations should immediately upgrade eProsima Fast-DDS to versions 3.4.1, 3.3.1, or 2.6.11 or later to remediate this vulnerability. In addition, network segmentation should be enforced to restrict access to DDS communication ports only to trusted and authenticated devices, minimizing exposure to malicious SPDP packets. Implementing strict input validation and anomaly detection on DDS traffic can help identify and block malformed or tampered DATA Submessages. Monitoring Fast-DDS process health and setting up automated restart mechanisms can reduce downtime in case of unexpected termination. Organizations should also review and harden their DDS security configurations, ensuring that only authorized publishers can send SPDP packets. Finally, conducting regular vulnerability assessments and penetration testing on DDS deployments will help detect similar issues proactively.