CVE-2025-66624

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2025-66624

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-66624.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2025-66624

Aliases

GHSA-8wgw-5h6x-qgqg

Published

2025-12-05T18:36:26.280Z

Modified

2026-04-12T18:47:07.411552Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator

Summary

BACnet-stack MS/TP reply matcher OOB read

Details

BACnet Protocol Stack library provides a BACnet application layer, network layer and media access (MAC) layer communications services. Prior to 1.5.0.rc2, The npduisexpectedreply function in src/bacnet/npdu.c indexes requestpdu[offset+2/3/5] and replypdu[offset+1/2/4] without verifying that those APDU bytes exist. bacnetnpdu_decode() can return offset == 2 for a 2-byte NPDU, so tiny PDUs pass the version check and then get read out of bounds. On ASan/MPU/strict builds this is an immediate crash (DoS). On unprotected builds it is undefined behavior and can mis-route replies; RCE is unlikely because only reads occur, but DoS is reliable.

Database specific

{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/66xxx/CVE-2025-66624.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-125"
    ]
}

References

Affected packages

Git / github.com/bacnet-stack/bacnet-stack

Affected ranges

Type: GIT
Repo: https://github.com/bacnet-stack/bacnet-stack
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

9378f7d1e70169ebde4a5090bae7603703eadf48

Affected versions

bacnet-stack-1.*

bacnet-stack-1.0.0

bacnet-stack-1.1.1

bacnet-stack-1.2.0

bacnet-stack-1.3.0

bacnet-stack-1.3.1

bacnet-stack-1.3.2

bacnet-stack-1.3.3

bacnet-stack-1.3.4

bacnet-stack-1.3.5

bacnet-stack-1.3.6

bacnet-stack-1.3.7

bacnet-stack-1.3.8

bacnet-stack-1.4.0

bacnet-stack-1.4.1

bacnet-stack-1.4.2

Database specific

vanir_signatures_modified

"2026-04-12T18:47:07Z"

unresolved_ranges

[
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "1.5.0-rc1"
            }
        ]
    }
]

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-66624.json"

vanir_signatures

[
    {
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "83843085046451361637461865476703005241",
                "238587408538411829391835624658536496285",
                "30124409820981892837603001093918822664",
                "207384116977857683315118265959104614746",
                "64600891009193766897136132121167079772",
                "123296708785302795411772286023263043804",
                "216062463529506061808775265920329604388",
                "167503949483983367708514475361697331390",
                "270900316217544285356921364207878267905",
                "156345305460415963468152238411462893353",
                "96127586797258943612213585828857178701",
                "138901371381924957636829174777929359451",
                "155623926383193076197530099774379643183",
                "250564343464638776177484622832188281954",
                "189566913388121754163822969579650204172",
                "138901371381924957636829174777929359451",
                "203702637365953644370142275113033910436",
                "93012385155339784005673562612413392387",
                "33512308264241904797665661391568256497",
                "138901371381924957636829174777929359451",
                "151398964435457316357759387846181452604",
                "11126792372720741654303297847387888673",
                "180254819937695263106382743591546451657",
                "138901371381924957636829174777929359451",
                "250315169354396070139462417731480231881",
                "311530395237296155428893646932377984744",
                "330899126332236215759817413030511438742",
                "14306894211007459567265880931693426760",
                "35287959343168088514192055060431271319",
                "231400318870345363538292201931342737270",
                "16975485939548532498576622031178045539"
            ]
        },
        "target": {
            "file": "test/bacnet/npdu/src/main.c"
        },
        "signature_type": "Line",
        "signature_version": "v1",
        "deprecated": false,
        "id": "CVE-2025-66624-0b6d3b44",
        "source": "https://github.com/bacnet-stack/bacnet-stack/commit/9378f7d1e70169ebde4a5090bae7603703eadf48"
    },
    {
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "71650205001555385686006880933273131077",
                "229749204888112420672043892506959147620",
                "331330494637105736621701574122208848071",
                "314541549533435640560731178572632304780",
                "309098155545447140259544146017864153976",
                "328903728317944145573125988505144219057",
                "60836098315647965641966506866971626735",
                "107645739550186851804233217794436806227",
                "123507665705029548439019133974514876667",
                "316048135846935571482809533138818288098",
                "275821363450216435252324982649028940308",
                "3796414434614534037560151388248932710",
                "18104325649369308008531851651592682517",
                "111651881004670505231910526738131401914",
                "243523273129488535198066991728326507431",
                "309349418545886415013582041521177400380",
                "106070769154322960479077933683963056437",
                "173031774306303719533913682503977438865",
                "275111920263068369140943630913503288700",
                "170328281185125846310836612930078095155",
                "142826307019729926994755319749710336916",
                "255294463983898880421075307643486700488",
                "199679047418838997965019468116038977961",
                "279836750977604746948131494057799567076",
                "4578349424262833927119295216779897876",
                "267111830112764059351659822606425425196",
                "40478145146061576682937057129338719377",
                "327835671912351432994618884626874980325",
                "10306072238909241412423688771431123127",
                "59914586052265839986657607543591892034",
                "213791798062304891829658915769382149165",
                "137751846686267522740107517871653093761",
                "335224573737858210712157763458662005808",
                "145811401381154737414448434414475236177",
                "79576625216154838256741328747148804369",
                "41756126913402734937085275540338921601",
                "305694089813412339401587468732394431731",
                "14585127183480251941086565686292516883",
                "257568305587840834361001730267198441343",
                "561100572699314695764817709289376797",
                "82056544972836017613856275909122210046",
                "258870039900547363458285165389753334479",
                "232152575200052039085231691881160933653"
            ]
        },
        "target": {
            "file": "src/bacnet/npdu.c"
        },
        "signature_type": "Line",
        "signature_version": "v1",
        "deprecated": false,
        "id": "CVE-2025-66624-1f63d835",
        "source": "https://github.com/bacnet-stack/bacnet-stack/commit/9378f7d1e70169ebde4a5090bae7603703eadf48"
    },
    {
        "digest": {
            "length": 2247.0,
            "function_hash": "284165713238503035960910248294941153739"
        },
        "target": {
            "file": "src/bacnet/npdu.c",
            "function": "npdu_is_expected_reply"
        },
        "signature_type": "Function",
        "signature_version": "v1",
        "deprecated": false,
        "id": "CVE-2025-66624-28825610",
        "source": "https://github.com/bacnet-stack/bacnet-stack/commit/9378f7d1e70169ebde4a5090bae7603703eadf48"
    }
]