CVE-2025-67899 identifies a vulnerability in the uriparser project, a widely used C library for parsing URIs. The flaw is due to uncontrolled recursion in the function ParseMustBeSegmentNzNc when processing URI segments containing numerous commas. This leads to unbounded recursion depth and stack consumption, which can cause a stack overflow or denial of service (DoS) by crashing the application or making it unresponsive. The vulnerability affects uriparser versions up to 0.9.9. The attack vector is local (AV:L), requiring the attacker to have access to the system where the vulnerable library is used. The attack complexity is high (AC:H), meaning exploitation is difficult, and no privileges or user interaction are required. The CVSS score is 2.9, indicating low severity, primarily impacting availability without affecting confidentiality or integrity. No patches or fixes have been released at the time of publication, and no known exploits exist in the wild. The vulnerability is categorized under CWE-674 (Uncontrolled Recursion), a common programming flaw that can lead to resource exhaustion. Organizations embedding uriparser in their software stacks, especially those handling untrusted URI inputs, may be susceptible to application crashes or denial of service if exploited.

For European organizations, the primary impact of this vulnerability is potential denial of service due to application crashes or unresponsiveness when processing specially crafted URIs containing many commas. This can affect availability of services relying on uriparser for URI parsing, such as web servers, network appliances, or embedded systems. Since the vulnerability does not affect confidentiality or integrity, data breaches or unauthorized modifications are unlikely. However, service disruption can lead to operational downtime, impacting business continuity and user experience. Industries with critical infrastructure or high availability requirements, such as telecommunications, finance, and government services, may face increased risk if they use uriparser in their software stacks. The low exploitability and local attack vector reduce the likelihood of widespread attacks, but insider threats or compromised internal systems could leverage this vulnerability. The absence of known exploits and patches means organizations should proactively assess their exposure and prepare mitigation strategies.

European organizations should implement the following specific mitigation measures: 1) Inventory and identify all software components and products using uriparser, especially versions up to 0.9.9. 2) Apply strict input validation and sanitization on all URI inputs to limit or reject excessively long or comma-rich segments that could trigger recursion. 3) Employ runtime protections such as stack size limits or recursion depth monitoring to prevent stack exhaustion. 4) Isolate or sandbox applications using uriparser to contain potential crashes and minimize impact on other system components. 5) Monitor vendor announcements and security advisories for patches or updates addressing this vulnerability and plan timely deployment. 6) Conduct code reviews and testing for recursive functions in custom URI parsing implementations to avoid similar issues. 7) Educate developers and security teams about CWE-674 risks and secure coding practices to prevent uncontrolled recursion. These targeted actions go beyond generic advice by focusing on the specific nature of the vulnerability and the affected library.