CVE-2025-64334 is a resource exhaustion vulnerability classified under CWE-770 (Allocation of Resources Without Limits or Throttling) affecting the Suricata network IDS/IPS/NSM engine developed by the Open Information Security Foundation (OISF). Specifically, in Suricata versions from 8.0.0 up to but not including 8.0.2, the handling of compressed HTTP data, particularly involving LZMA decompression, can cause unbounded memory growth. This occurs because the decompression process does not impose limits or throttling on resource allocation, allowing an attacker to send specially crafted compressed HTTP responses that cause Suricata to consume excessive memory. The consequence is a denial of service (DoS) condition where Suricata processes may crash or become unresponsive due to memory exhaustion. The vulnerability is remotely exploitable without authentication or user interaction, as it relies on network traffic that Suricata inspects. The issue was addressed in Suricata version 8.0.2 by implementing appropriate resource limits during decompression. As a workaround before patching, disabling LZMA decompression or limiting the response-body size can mitigate the risk. Although no exploits have been reported in the wild, the high CVSS score of 7.5 reflects the significant impact on availability and ease of exploitation. Suricata is widely used in network security monitoring and intrusion prevention, making this vulnerability relevant for organizations relying on it for network defense.

For European organizations, this vulnerability poses a significant risk to the availability of network security monitoring and intrusion prevention systems that utilize Suricata versions 8.0.0 to before 8.0.2. Exploitation can lead to denial of service by exhausting memory resources, potentially causing Suricata to crash or become unresponsive. This disruption can blind security teams to ongoing network threats, increasing the risk of undetected attacks. Critical infrastructure sectors such as energy, finance, telecommunications, and government agencies that rely on Suricata for real-time network analysis are particularly vulnerable. The remote and unauthenticated nature of the exploit means attackers can trigger the vulnerability without prior access, increasing the attack surface. Additionally, the inability to inspect network traffic effectively during a DoS event can have cascading effects on incident response and compliance with European cybersecurity regulations like NIS2. The absence of known exploits in the wild reduces immediate risk but does not eliminate the threat, especially as attackers may develop exploits given the public disclosure.

European organizations should immediately upgrade Suricata installations to version 8.0.2 or later to apply the official patch addressing this vulnerability. Until patching is feasible, administrators should disable LZMA decompression in Suricata configurations to prevent unbounded memory growth. Additionally, configuring strict limits on the response-body size within Suricata can reduce the risk of resource exhaustion. Network segmentation and filtering can be employed to limit exposure to untrusted HTTP traffic that might carry malicious compressed payloads. Monitoring Suricata process memory usage and setting up alerts for abnormal spikes can provide early warning of exploitation attempts. Organizations should also review and update incident response plans to include scenarios involving Suricata service disruption. Finally, maintaining up-to-date threat intelligence feeds and vendor advisories will help detect emerging exploits targeting this vulnerability.