CVE-2025-64344 is a stack-based buffer overflow vulnerability identified in Suricata, an open-source network intrusion detection and prevention system developed by the Open Information Security Foundation (OISF). The vulnerability specifically affects Suricata versions prior to 7.0.13 and 8.0.2 when handling large buffers within Lua scripting contexts. Suricata supports Lua scripts for advanced rule processing and output customization, which can receive data buffers from network traffic analysis. When a Lua rule or output script processes a buffer larger than the safe limit, it may cause a stack overflow due to improper bounds checking or buffer size validation. This overflow can lead to a crash of the Suricata process, resulting in denial of service (DoS). The vulnerability does not impact confidentiality or integrity directly but severely affects availability. The CVSS v3.1 score of 7.5 reflects the network attack vector, low attack complexity, no privileges required, no user interaction, and the impact limited to availability. No known exploits have been reported in the wild as of publication. Mitigation involves upgrading Suricata to versions 7.0.13 or 8.0.2 and later, which include patches addressing the buffer overflow. Alternatively, disabling Lua scripting or output scripts can prevent exploitation. Additionally, configuring limits such as stream.depth.reassembly and HTTP response-body-limit to values less than half the stack size reduces the risk of triggering the overflow. This vulnerability is particularly relevant for organizations using Suricata with Lua scripting enabled and processing large or complex network traffic buffers.

The primary impact of CVE-2025-64344 is on the availability of Suricata-based network security monitoring and intrusion prevention systems. Exploitation can cause Suricata to crash or become unstable, leading to loss of network visibility and protection. For European organizations, this can result in temporary blind spots in network defense, increasing exposure to other attacks or intrusions. Critical infrastructure sectors, financial institutions, and government agencies relying on Suricata for real-time threat detection may face operational disruptions. The lack of confidentiality or integrity impact means data leakage or tampering is not directly threatened by this vulnerability. However, the denial of service effect can indirectly facilitate further attacks by disabling security controls. The ease of exploitation (no authentication or user interaction required) and network-based attack vector make this vulnerability a significant risk if unpatched. Organizations with complex Lua scripting rules or handling large HTTP response bodies are at higher risk. The absence of known exploits in the wild currently reduces immediate threat but does not eliminate the potential for future exploitation.

1. Upgrade Suricata installations to version 7.0.13, 8.0.2, or later as soon as possible to apply the official patches addressing the buffer overflow. 2. If immediate upgrade is not feasible, disable Lua scripting and Lua output scripts to eliminate the attack surface related to this vulnerability. 3. Configure Suricata settings to limit buffer sizes by setting stream.depth.reassembly and HTTP response-body-limit to values less than half the stack size to prevent large buffers from triggering the overflow. 4. Review and audit existing Lua scripts for handling of large buffers and optimize or restrict their usage. 5. Monitor Suricata logs and system stability for signs of crashes or unusual behavior that could indicate attempted exploitation. 6. Implement network segmentation and traffic filtering to reduce exposure of Suricata instances to untrusted or high-risk network segments. 7. Maintain up-to-date threat intelligence feeds and subscribe to OISF advisories for timely updates on related vulnerabilities or exploits. 8. Conduct regular security assessments and penetration tests focusing on IDS/IPS components to validate resilience against similar buffer overflow attacks.