CVE-2025-62603
Published: 03 February 2026
Summary
CVE-2025-62603 is a low-severity Out-of-bounds Read (CWE-125) vulnerability in Eprosima Fast Dds. Its CVSS base score is 1.7 (Low).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 8.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2025-62603 is a denial-of-service vulnerability in Fast DDS, an open-source C++ implementation of the OMG Data Distribution Service (DDS) standard. The issue resides in the parsing of ParticipantGenericMessage, a DDS Security control-message container used for handshakes and ongoing security traffic like crypto-token exchanges. Upon receipt, the CDR parser deserializes the message_data field, specifically the DataHolderSeq, by reading a sequence count followed by class_id strings, string properties, and binary properties for each holder. Due to RTPS protocol allowances for duplicates, delays, and retransmissions, the stateless parser fully unfolds potentially malformed structures without higher-layer state awareness, leading to excessive memory allocation and an out-of-memory condition that terminates the process. This affects Fast DDS versions prior to 3.4.1, 3.3.1, and 2.6.11.
The vulnerability carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), indicating network-accessible exploitation with low complexity and no required privileges or user interaction. Any unauthenticated remote attacker capable of sending RTPS traffic to a vulnerable Fast DDS participant can craft a malicious ParticipantGenericMessage with a large or malformed DataHolderSeq, triggering the full parsing path and causing memory exhaustion. Successful exploitation results in remote process termination, disrupting service availability for DDS-based applications relying on Fast DDS for real-time pub-sub communication.
Patches addressing this issue are available in Fast DDS versions 3.4.1, 3.3.1, and 2.6.11, as detailed in upstream GitHub commits such as 354218514d32beac963ff5c306f1cf159ee37c5f, a726e6a5daba660418d1f7c05b6f203c17747d2b, and ced3b6a5d928af1eae77d5fe889878128ad421a. Security practitioners should upgrade to these fixed releases. Debian's security tracker also documents the CVE for affected packages.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-206665
Vulnerability details
Fast DDS is a C++ implementation of the DDS (Data Distribution Service) standard of the OMG (Object Management Group ). ParticipantGenericMessage is the DDS Security control-message container that carries not only the handshake but also on going security-control traffic after…
more
the handshake, such as crypto-token exchange, rekeying, re-authentication, and token delivery for newly appearing endpoints. On receive, the CDR parser is invoked first and deserializes the `message_data` (i .e., the `DataHolderSeq`) via the `readParticipantGenericMessage → readDataHolderSeq` path. The `DataHolderSeq` is parsed sequentially: a sequence count (`uint32`), and for each DataHolder the `class_id` string (e.g. `DDS:Auth:PKI-DH:1.0+Req`), string properties (a sequence of key/value pairs), and binary properties (a name plus an octet-vector). The parser operat es at a stateless level and does not know higher-layer state (for example, whether the handshake has already completed), s o it fully unfolds the structure before distinguishing legitimate from malformed traffic. Because RTPS permits duplicates, delays, and retransmissions, a receiver must perform at least minimal structural parsing to check identity and sequence n umbers before discarding or processing a message; the current implementation, however, does not "peek" only at a minimal header and instead parses the entire `DataHolderSeq`. As a result, prior to versions 3.4.1, 3.3.1, and 2.6.11, this parsi ng behavior can trigger an out-of-memory condition and remotely terminate the process. Versions 3.4.1, 3.3.1, and 2.6.11 p atch the issue.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote unauthenticated network exploitation of public-facing DDS service causing application/system crash via malformed message parsing.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires timely identification, reporting, and correction of flaws like the Fast DDS DataHolderSeq parsing memory exhaustion, directly enabling patching to versions 3.4.1, 3.3.1, or 2.6.11.
Implements protections against denial-of-service events such as the remote memory exhaustion triggered by malformed ParticipantGenericMessage in Fast DDS.
Mandates validation and sanitization of information inputs like the DataHolderSeq in ParticipantGenericMessage to prevent excessive memory allocation from malformed RTPS traffic.