The vulnerability CVE-2025-62603 resides in eProsima Fast-DDS, a widely used C++ implementation of the OMG DDS standard for real-time data distribution. Fast-DDS uses ParticipantGenericMessage containers to carry DDS Security control messages, including handshake and ongoing security traffic such as crypto-token exchanges and re-authentication. The vulnerability arises during the deserialization process of the message_data field, specifically within the DataHolderSeq sequence. The parser fully unfolds the entire DataHolderSeq structure without performing minimal header checks to validate message legitimacy before parsing. This behavior is problematic because RTPS (Real-Time Publish-Subscribe) protocol allows duplicates, delays, and retransmissions, necessitating at least minimal structural parsing before processing. However, the current implementation parses the entire sequence, which can be malformed or crafted maliciously to cause an out-of-bounds read. This can lead to an out-of-memory condition and remote process termination, effectively causing a denial-of-service (DoS). The vulnerability affects Fast-DDS versions prior to 3.4.1, 3.3.1, and 2.6.11, which have patched this issue. Exploitation requires no authentication or user interaction and can be triggered remotely by sending specially crafted DDS security messages. The CVSS 4.0 score is 1.7, indicating low severity primarily due to limited impact on confidentiality, integrity, and the requirement for specific protocol knowledge to exploit. No known exploits are reported in the wild as of now.

For European organizations, especially those in sectors relying on real-time data distribution such as industrial automation, automotive, aerospace, and critical infrastructure, this vulnerability poses a risk of denial-of-service through remote process termination. Disruption of Fast-DDS services could impact operational continuity, safety systems, and real-time control processes. Although the vulnerability does not directly compromise confidentiality or integrity, availability impacts could cascade into operational delays or failures. Given the low CVSS score, the immediate risk is limited, but targeted attacks exploiting this flaw could affect high-value systems. The lack of authentication requirements means attackers can attempt exploitation from the network, increasing exposure if DDS traffic is not properly segmented or filtered. European organizations using Fast-DDS in IoT, robotics, or distributed control systems should be particularly vigilant.

The primary mitigation is to upgrade eProsima Fast-DDS to versions 3.4.1, 3.3.1, or 2.6.11 or later, where the vulnerability is patched. Organizations should audit their environments to identify Fast-DDS deployments and ensure timely patching. Network-level controls should be implemented to restrict DDS traffic to trusted sources only, employing firewall rules or network segmentation to isolate DDS communication channels. Deploying intrusion detection systems (IDS) or anomaly detection tailored to DDS traffic patterns can help identify malformed or suspicious messages. Additionally, applying rate limiting on DDS security messages may reduce the risk of resource exhaustion. Developers and integrators should review their use of ParticipantGenericMessage parsing to ensure minimal header checks are performed before full deserialization, reducing exposure to malformed inputs. Regular security assessments and penetration testing focusing on DDS implementations can help detect similar vulnerabilities proactively.