CVE-2025-24807
HIGHeprosima Fast DDS < 2.6.10 - Insufficient Verification of Data Authenticity in PermissionsCA
Title source: llmDescription
eprosima Fast DDS is a C++ implementation of the DDS (Data Distribution Service) standard of the OMG (Object Management Group). Prior to versions 2.6.10, 2.10.7, 2.14.5, 3.0.2, 3.1.2, and 3.2.0, per design, PermissionsCA is not full chain validated, nor is the expiration date validated. Access control plugin validates only the S/MIME signature which causes an expired PermissionsCA to be taken as valid. Even though this issue is responsible for allowing `governance/permissions` from an expired PermissionsCA and having the system crash when PermissionsCA is not self-signed and contains the full-chain, the impact is low. Versions 2.6.10, 2.10.7, 2.14.5, 3.0.2, 3.1.2, and 3.2.0 contain a fix for the issue.
References (6)
Core 6
Core References
Vendor Advisory x_refsource_confirm
https://github.com/eProsima/Fast-DDS/security/advisories/GHSA-w33g-jmm2-8983
Patch x_refsource_misc
https://github.com/eProsima/Fast-DDS/pull/5530
Product x_refsource_misc
https://github.com/eProsima/Fast-DDS/blob/2.6.9/src/cpp/security/accesscontrol/Permissions.cpp#L390-L396
Product x_refsource_misc
https://github.com/eProsima/Fast-DDS/blob/2.6.9/src/cpp/security/accesscontrol/Permissions.cpp#L412
Product x_refsource_misc
https://github.com/eProsima/Fast-DDS/blob/2.6.9/src/cpp/security/authentication/PKIDH.cpp#L241
Related x_refsource_misc
https://www.omg.org/spec/DDS-SECURITY/1.1/PDF
Scores
CVSS v3
7.1
EPSS
0.0019
EPSS Percentile
8.7%
Attack Vector
LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-345
Status
published
Products (1)
eprosima/fast_dds
< 2.6.10
Published
Feb 11, 2025
Tracked Since
Feb 18, 2026