CVE-2025-24356
- Source
- https://cve.org/CVERecord?id=CVE-2025-24356
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-24356.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2025-24356
- Aliases
-
- GHSA-pggg-vpfv-4rcv
- Downstream
- Published
- 2025-01-27T17:31:38.541Z
- Modified
- 2026-04-12T14:04:24.841752Z
- Severity
-
- 6.9 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:L CVSS Calculator
- Summary
- UDP traffic amplification via fastd's fast reconnect feature
- Details
-
fastd is a VPN daemon which tunnels IP packets and Ethernet frames over UDP. When receiving a data packet from an unknown IP address/port combination, fastd will assume that one of its connected peers has moved to a new address and initiate a reconnect by sending a handshake packet. This "fast reconnect" avoids having to wait for a session timeout (up to ~90s) until a new connection is established. Even a 1-byte UDP packet just containing the fastd packet type header can trigger a much larger handshake packet (~150 bytes of UDP payload). Including IPv4 and UDP headers, the resulting amplification factor is roughly 12-13. By sending data packets with a spoofed source address to fastd instances reachable on the internet, this amplification of UDP traffic might be used to facilitate a Distributed Denial of Service attack. This vulnerability is fixed in v23.
- Database specific
{ "cna_assigner": "GitHub_M", "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/24xxx/CVE-2025-24356.json", "cwe_ids": [ "CWE-405" ] }- References
-
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/24xxx/CVE-2025-24356.json
- https://github.com/neocturne/fastd/security/advisories/GHSA-pggg-vpfv-4rcv
- https://nvd.nist.gov/vuln/detail/CVE-2025-24356
- https://github.com/neocturne/fastd/commit/1f233bee76b722c0b3f9024f2c39c72e9f7e5843
- https://github.com/neocturne/fastd/commit/3940150e801d0c91460491bec32cbcc5bbc89d5f
- https://github.com/neocturne/fastd/commit/5f63fcfc18ae9cad023fa463b152d5e14192b5a8
- https://github.com/neocturne/fastd/commit/9df7e516378441d2d17b89f9db5c27c8312d8f12
- https://github.com/neocturne/fastd/commit/c1a07b3f2b9066c3713c68547da700b85d60f4f7
- https://github.com/neocturne/fastd/commit/ce1b79b12dbfa796743b5f3a50789ade965b7023
- https://github.com/neocturne/fastd/commit/d03a0a17347efb5293e42fde7d982781e90f14ef
Affected packages
Git / github.com/neocturne/fastd
Affected ranges
- Type
- GIT
- Repo
- https://github.com/neocturne/fastd
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
- Type
- GIT
- Repo
- https://github.com/neocturne/fastd
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
- Type
- GIT
- Repo
- https://github.com/neocturne/fastd
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
- Type
- GIT
- Repo
- https://github.com/neocturne/fastd
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
- Type
- GIT
- Repo
- https://github.com/neocturne/fastd
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
- Type
- GIT
- Repo
- https://github.com/neocturne/fastd
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
- Type
- GIT
- Repo
- https://github.com/neocturne/fastd
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
Affected versions
v0.*
v0.1
v0.1-rc1
v0.1-rc2
v0.1-rc3
v0.1-rc4
v0.2
v0.3
v0.4
v0.4-rc1
v0.4-rc10
v0.4-rc11
v0.4-rc12
v0.4-rc13
v0.4-rc2
v0.4-rc3
v0.4-rc4
v0.4-rc5
v0.4-rc6
v0.4-rc7
v0.4-rc8
v0.4-rc9
v0.5
v0.5-rc1
v0.5-rc2
v0.5-rc3
v0.5-rc4
Other
v10
v11
v12
v13
v14
v15
v16
v17
v18
v19
v20
v21
v22
v6
v6-rc1
v7
v8
v9
Database specific
source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-24356.json"
vanir_signatures
[
{
"digest": {
"threshold": 0.9,
"line_hashes": [
"48311733349935677877856078576226662267",
"229488734174425680238134247944886891569",
"203727432815348776634905894564216591725",
"325048784288367719720427770744710457678",
"306396521302841841995990470002859967051"
]
},
"id": "CVE-2025-24356-0f2a568d",
"deprecated": false,
"signature_version": "v1",
"signature_type": "Line",
"source": "https://github.com/neocturne/fastd/commit/ce1b79b12dbfa796743b5f3a50789ade965b7023",
"target": {
"file": "src/peer.c"
}
},
{
"digest": {
"threshold": 0.9,
"line_hashes": [
"175969246196907137856298987160404293798",
"333475422229744204259474890679083265200",
"185304747899287039529831551517063999058",
"139022945201546688347435802019985014039",
"218018814941973159325631843007986443850",
"217843635331122923220323405221853880027",
"307573752334109072077226712828947903071",
"137050585142017877595489479383696433082"
]
},
"id": "CVE-2025-24356-12bcf028",
"deprecated": false,
"signature_version": "v1",
"signature_type": "Line",
"source": "https://github.com/neocturne/fastd/commit/ce1b79b12dbfa796743b5f3a50789ade965b7023",
"target": {
"file": "src/protocols/ec25519_fhmqvc/handshake.c"
}
},
{
"digest": {
"length": 1645.0,
"function_hash": "323074815272095992647419198503018858477"
},
"id": "CVE-2025-24356-12e6120c",
"deprecated": false,
"signature_version": "v1",
"signature_type": "Function",
"source": "https://github.com/neocturne/fastd/commit/d03a0a17347efb5293e42fde7d982781e90f14ef",
"target": {
"function": "handle_socket_receive",
"file": "src/receive.c"
}
},
{
"digest": {
"length": 634.0,
"function_hash": "178908775178633700874285455482841075552"
},
"id": "CVE-2025-24356-14e62dc1",
"deprecated": false,
"signature_version": "v1",
"signature_type": "Function",
"source": "https://github.com/neocturne/fastd/commit/d03a0a17347efb5293e42fde7d982781e90f14ef",
"target": {
"function": "configure_method_parameters",
"file": "src/config.c"
}
},
{
"digest": {
"length": 1566.0,
"function_hash": "109219599974070638863224699015321965659"
},
"id": "CVE-2025-24356-3fbbc61b",
"deprecated": false,
"signature_version": "v1",
"signature_type": "Function",
"source": "https://github.com/neocturne/fastd/commit/ce1b79b12dbfa796743b5f3a50789ade965b7023",
"target": {
"function": "handle_socket_receive",
"file": "src/receive.c"
}
},
{
"digest": {
"length": 1327.0,
"function_hash": "297443448770437769517092746614298595936"
},
"id": "CVE-2025-24356-55554a21",
"deprecated": false,
"signature_version": "v1",
"signature_type": "Function",
"source": "https://github.com/neocturne/fastd/commit/c1a07b3f2b9066c3713c68547da700b85d60f4f7",
"target": {
"function": "fastd_snprint_peer_address",
"file": "src/log.c"
}
},
{
"digest": {
"threshold": 0.9,
"line_hashes": [
"270663177838401030362224267475040916829",
"203779760964903360709274097593917925516",
"53054199189846654934618999645072319036",
"189707924898460442303615657287162150242"
]
},
"id": "CVE-2025-24356-63646d0b",
"deprecated": false,
"signature_version": "v1",
"signature_type": "Line",
"source": "https://github.com/neocturne/fastd/commit/ce1b79b12dbfa796743b5f3a50789ade965b7023",
"target": {
"file": "src/fastd.h"
}
},
{
"digest": {
"threshold": 0.9,
"line_hashes": [
"151327009534852036033642169040952397364",
"214332912922753022225447011206562430104",
"307662116946159289110305424050445496659",
"40680239032401320281422137562525237121",
"110520411998360624693592165273651445989",
"300349271186783495550194739587816840002",
"250223798493894223770887445156421506048",
"87411707597937742374887731256664609077",
"99333781617062036006172977388584718337",
"94603266836941638976780238040301871331",
"248321620177219035072886632880789864957",
"338619556736044951620285938483135999884"
]
},
"id": "CVE-2025-24356-64ca79ae",
"deprecated": false,
"signature_version": "v1",
"signature_type": "Line",
"source": "https://github.com/neocturne/fastd/commit/d03a0a17347efb5293e42fde7d982781e90f14ef",
"target": {
"file": "src/config.c"
}
},
{
"digest": {
"threshold": 0.9,
"line_hashes": [
"186179138847383127902821389694489251821",
"322738269222734407682030236354113388093",
"320803186381341867876420449657028090910",
"10244651226045566443886722136088832884"
]
},
"id": "CVE-2025-24356-6c916cef",
"deprecated": false,
"signature_version": "v1",
"signature_type": "Line",
"source": "https://github.com/neocturne/fastd/commit/ce1b79b12dbfa796743b5f3a50789ade965b7023",
"target": {
"file": "src/protocols/ec25519_fhmqvc/ec25519_fhmqvc.h"
}
},
{
"digest": {
"threshold": 0.9,
"line_hashes": [
"302564492117817543444989981225256956097",
"245662065985204270957054620645484364507",
"194107662824366633910195936279108852223",
"303217223173007320343784291461396842946",
"92615836168272295515754684918802423097",
"312914792498616055992047379740210018631",
"203050101157943934427168003890112965956",
"176612183960542143206162479229881250971",
"120535098405221273082350704484087164929",
"26616358486451186947429922913997124282"
]
},
"id": "CVE-2025-24356-774a1b3b",
"deprecated": false,
"signature_version": "v1",
"signature_type": "Line",
"source": "https://github.com/neocturne/fastd/commit/d03a0a17347efb5293e42fde7d982781e90f14ef",
"target": {
"file": "src/receive.c"
}
},
{
"digest": {
"length": 1793.0,
"function_hash": "64134633841799875633410709302410693225"
},
"id": "CVE-2025-24356-80848762",
"deprecated": false,
"signature_version": "v1",
"signature_type": "Function",
"source": "https://github.com/neocturne/fastd/commit/5f63fcfc18ae9cad023fa463b152d5e14192b5a8",
"target": {
"function": "handle_socket_receive",
"file": "src/receive.c"
}
},
{
"digest": {
"threshold": 0.9,
"line_hashes": [
"79433459016752176449369074794340959856",
"115627725794629434516897898950381657256",
"287064680060282457140849265431229066350"
]
},
"id": "CVE-2025-24356-92b4c692",
"deprecated": false,
"signature_version": "v1",
"signature_type": "Line",
"source": "https://github.com/neocturne/fastd/commit/3940150e801d0c91460491bec32cbcc5bbc89d5f",
"target": {
"file": "src/receive.c"
}
},
{
"digest": {
"length": 1075.0,
"function_hash": "285100407234149056118834144756364293766"
},
"id": "CVE-2025-24356-99d68fba",
"deprecated": false,
"signature_version": "v1",
"signature_type": "Function",
"source": "https://github.com/neocturne/fastd/commit/d03a0a17347efb5293e42fde7d982781e90f14ef",
"target": {
"function": "configure_peers",
"file": "src/config.c"
}
},
{
"digest": {
"threshold": 0.9,
"line_hashes": [
"231538463319672020498353485637877203783",
"217732140172838013795786934251922441155",
"82768785214028735978632217282705399530",
"218349940522287090554050728217408874820",
"294153969233891885577598916481147817869",
"91515728022423593654964940991182607787",
"186674800961329894421928660423506292731",
"265688862656021195802127287532436799978",
"286673405630918369346004277041945608408",
"175706891600665999346393245152866936058",
"331304676153923843959441267915605150427",
"220482154694633003959974204298830633959",
"228276271597062136711802786287662969211",
"90630786900425367872923317339915379075",
"272627017838890153405444465351005464862",
"333954036095289133275537750973230457734",
"261795854020100095471473481622417128850",
"224866708721945366116422380579918156760",
"246140751679109693531615112263155173517",
"105477943201911070940788835208808922531",
"95632648431254682119284568588338872313",
"26657591001433691121834127978341097474",
"323341924742523619090930841755671840188",
"298570772586492540436924163154952297293",
"174507409061365916202476510311647678814",
"204774240445007741522563228718147494743",
"264323568973352513294597421044390744507",
"22344982013955493645019708420189696788",
"80146413275935001680192230240024584356",
"168575253410978863326188033894070413941",
"201711148029771649331989463661517882925"
]
},
"id": "CVE-2025-24356-a9fd36b0",
"deprecated": false,
"signature_version": "v1",
"signature_type": "Line",
"source": "https://github.com/neocturne/fastd/commit/c1a07b3f2b9066c3713c68547da700b85d60f4f7",
"target": {
"file": "src/log.c"
}
},
{
"digest": {
"threshold": 0.9,
"line_hashes": [
"295978894238811132885476054958792831390",
"277714857767181189074067398283964122890",
"225743963241543667850250580163249700794",
"104965582722458210936619859080642753526"
]
},
"id": "CVE-2025-24356-be18f612",
"deprecated": false,
"signature_version": "v1",
"signature_type": "Line",
"source": "https://github.com/neocturne/fastd/commit/ce1b79b12dbfa796743b5f3a50789ade965b7023",
"target": {
"file": "src/receive.c"
}
},
{
"digest": {
"length": 850.0,
"function_hash": "55702480743499846667098301655542595923"
},
"id": "CVE-2025-24356-ed01a2f5",
"deprecated": false,
"signature_version": "v1",
"signature_type": "Function",
"source": "https://github.com/neocturne/fastd/commit/ce1b79b12dbfa796743b5f3a50789ade965b7023",
"target": {
"function": "send_handshake",
"file": "src/peer.c"
}
},
{
"digest": {
"length": 897.0,
"function_hash": "195027448429679368151450567263137394282"
},
"id": "CVE-2025-24356-f2db3c7f",
"deprecated": false,
"signature_version": "v1",
"signature_type": "Function",
"source": "https://github.com/neocturne/fastd/commit/ce1b79b12dbfa796743b5f3a50789ade965b7023",
"target": {
"function": "fastd_protocol_ec25519_fhmqvc_handshake_init",
"file": "src/protocols/ec25519_fhmqvc/handshake.c"
}
},
{
"digest": {
"threshold": 0.9,
"line_hashes": [
"32732794930379017205526151097483193093",
"234764771001896526740290362935891531927",
"273163956079762052141299135994609565889",
"179510935341798000419724461801449166596",
"271183849069884607764986788163196095299",
"294033135921652816937292369626338284947",
"117016121816036153990275096991872848145",
"210457067373432779019640231913001554535",
"43802194017099567284283629296668724098",
"100138999774137804938203770733916849035",
"304969095320060268388024216335545616118",
"16281321252439697217337038721333495689",
"66822458743626431316249488168151214057",
"138098231844726444891902285333620697538",
"111912993224197122654707878012567344744",
"84478040340745888418211497732839480641",
"187227571179187895201426518382720477141",
"168125174230152411643857700214086106878",
"249955096754166528365467478042678690495",
"306150492950737685095432187977787084342",
"80499969788945260362158619134451598850",
"328272799706859641639283841820561948092",
"251505793942250240525663330411593197333",
"160617723960723633742982436023350416396"
]
},
"id": "CVE-2025-24356-fda8f8ed",
"deprecated": false,
"signature_version": "v1",
"signature_type": "Line",
"source": "https://github.com/neocturne/fastd/commit/5f63fcfc18ae9cad023fa463b152d5e14192b5a8",
"target": {
"file": "src/receive.c"
}
}
]
vanir_signatures_modified
"2026-04-12T14:04:24Z"