CVE-2025-64344
HIGHSuricata < 7.0.13 - Stack-based Buffer Overflow in Lua Script Buffer Handling
Title source: llmDescription
Suricata is a network IDS, IPS and NSM engine developed by the OISF (Open Information Security Foundation) and the Suricata community. Prior to versions 7.0.13 and 8.0.2, working with large buffers in Lua scripts can lead to a stack overflow. Users of Lua rules and output scripts may be affected when working with large buffers. This includes a rule passing a large buffer to a Lua script. This issue has been patched in versions 7.0.13 and 8.0.2. A workaround for this issue involves disabling Lua rules and output scripts, or making sure limits, such as stream.depth.reassembly and HTTP response body limits (response-body-limit), are set to less than half the stack size.
References (2)
Core 2
Core References
Issue Tracking, Third Party Advisory x_refsource_confirm
https://github.com/OISF/suricata/security/advisories/GHSA-93fh-cgmc-w3rx
Patch x_refsource_misc
https://github.com/OISF/suricata/commit/e13fe6a90dba210a478148c4084f6f5db17c5b5a
Scores
CVSS v3
7.5
EPSS
0.0029
EPSS Percentile
20.9%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-121
CWE-787
Status
published
Products (1)
oisf/suricata
< 7.0.13
Published
Nov 26, 2025
Tracked Since
Feb 18, 2026