CVE-2025-55398

Critical

Published: 22 August 2025

Published

22 August 2025

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0012 31.1th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-55398 is a critical-severity Improper Validation of Specified Quantity in Input (CWE-1284) vulnerability. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 31.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly mitigates CVE-2025-55398 by requiring timely patching or upgrading of the vulnerable mouse07410 asn1c library to versions after 0.9.29 that enforce UPER INTEGER constraints.

SI-10 Information Input Validation good match

prevent

Enforces validation of information inputs to ASN.1 UPER decoders, preventing processing of malformed INTEGER values exceeding 32-bit positive bounds.

RA-5 Vulnerability Monitoring and Scanning good match

detect

Scans for the presence of vulnerable asn1c versions and UPER decoder flaws, enabling identification of systems affected by CVE-2025-55398.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

Remote network-accessible decoder flaw in a library (no auth/UI) directly enables exploitation of public-facing apps/services consuming ASN.1/UPER data.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

NVD Description

An issue was discovered in mouse07410 asn1c thru 0.9.29 (2025-03-20) - a fork of vlm asn1c. In UPER (Unaligned Packed Encoding Rules), asn1c-generated decoders fail to enforce INTEGER constraints when the bound is positive and exceeds 32 bits in length,…

potentially allowing incorrect or malicious input to be processed.

Deeper analysisAI

CVE-2025-55398 affects the mouse07410 asn1c library through version 0.9.29 (dated 2025-03-20), a fork of vlm asn1c. The vulnerability resides in UPER (Unaligned Packed Encoding Rules) decoders generated by asn1c, which fail to enforce INTEGER constraints when the bound is positive and exceeds 32 bits in length. This flaw, tracked under CWE-1284, enables the processing of incorrect or malicious input and carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity.

Remote attackers require no privileges, authentication, or user interaction to exploit this vulnerability over the network with low complexity. Successful exploitation allows processing of malformed input in affected decoders, potentially leading to high impacts on confidentiality, integrity, and availability as scored by CVSS.

Details on the issue, including potential mitigations or patches, are discussed in the GitHub advisory at https://github.com/mouse07410/asn1c/issues/222.

Details

CWE(s): CWE-1284

CVEs Like This One

CVE-2026-3381Shared CWE-1284

CVE-2026-27384Shared CWE-1284

CVE-2026-1092Shared CWE-1284

CVE-2025-14513Shared CWE-1284

CVE-2026-30573Shared CWE-1284

CVE-2026-25345Shared CWE-1284

CVE-2021-47827Shared CWE-1284

CVE-2023-54337Shared CWE-1284

CVE-2026-40093Shared CWE-1284

CVE-2024-30516Shared CWE-1284

References

https://github.com/mouse07410/asn1c/issues/222
cve@mitre.org