Skip to main content

eProsima Fast-DDS CVE-2025-67108

CRITICAL
Improper Validation of Certificate Expiration (CWE-298)
2025-12-23 cve@mitre.org
10.0
CVSS 3.1 · Vendor: mitre
Share

Severity by source

Vendor (mitre) PRIMARY
10.0 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N
vuln.today AI
8.2 HIGH

Bypassing revocation requires a previously-issued (now revoked) credential and a security-enabled domain, so PR:L and AC:H; scope changes as the access-control component's failure exposes other domain participants, with high C/I and no availability impact.

3.1 AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N
4.0 AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (mitre).

CVSS VectorVendor: mitre

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jul 05, 2026 - 03:37 vuln.today

DescriptionCVE.org

eProsima Fast-DDS v3.3 was discovered to contain improper validation for ticket revocation, resulting in insecure communications and connections.

AnalysisAI

Improper validation of permissions/ticket revocation in eProsima Fast-DDS 3.3.0 allows revoked or no-longer-valid security credentials to be accepted, permitting unauthorized participants to join a secured DDS domain and exchange data over connections that should have been refused. The flaw sits in the DDS Security access-control layer (Permissions handling) and undermines the confidentiality and integrity guarantees of an otherwise authenticated domain. Rated CVSS 10.0 with a scope change, but EPSS is low (0.30%, 22th percentile) and there is no public exploit identified at time of analysis, so real-world risk is narrower than the base score implies.

Technical ContextAI

Fast-DDS is eProsima's C++ implementation of the OMG Data Distribution Service (DDS) real-time publish/subscribe middleware, most widely known as the default RMW middleware for ROS 2. Its DDS Security plugins provide authentication, access control, and cryptographic protection between domain participants; access control relies on signed Permissions and Governance documents that carry validity windows and can be revoked. The reference to src/cpp/security/accesscontrol/Permissions.cpp indicates the defect lives in how the access-control plugin evaluates permission/ticket revocation. The assigned weakness, CWE-298 (Improper Validation of Certificate Expiration), maps to this root cause: the code fails to correctly reject credentials whose revocation/expiration state should bar them, so stale or revoked tickets are honored and 'insecure communications and connections' result.

RemediationAI

No vendor-released patched version is identified in the provided data, so a specific fixed release cannot be cited; monitor eProsima's Fast-DDS GitHub releases and http://fast-dds.com for a security update covering the Permissions/access-control revocation check and upgrade as soon as a fixed 3.3.x (or later) build is published. As compensating controls until a patch is applied: rotate and reissue the Permissions/Governance CA and all participant permissions so that revoked credentials are no longer merely revoked but cryptographically superseded (trade-off: requires redistributing signed permissions to every participant and causes downtime for the domain); tighten the Governance policy to shorten permissions validity windows so stale tickets expire quickly (trade-off: more frequent credential reissuance overhead); and network-isolate the DDS domain to trusted segments and restrict RTPS discovery/traffic (typically UDP 7400-7500 range) to known participants via firewall/allowlisting so an attacker holding a revoked ticket cannot reach the domain (trade-off: breaks dynamic discovery and cross-subnet participants). Confirm the exact fix version from eProsima before relying on an upgrade claim.

CVE-2025-65865 HIGH POC
7.5 Dec 23

Remote denial of service in eProsima Fast-DDS v3.3.0 allows unauthenticated network attackers to crash affected processe

CVE-2024-30259 HIGH POC
7.5 May 14

FastDDS is a C++ implementation of the DDS (Data Distribution Service) standard of the OMG (Object Management Group). Ra

CVE-2024-30258 HIGH POC
7.5 May 14

FastDDS is a C++ implementation of the DDS (Data Distribution Service) standard of the OMG (Object Management Group). Ra

CVE-2024-28231 HIGH POC
7.5 Mar 20

eprosima Fast DDS is a C++ implementation of the Data Distribution Service standard of the Object Management Group. Rate

CVE-2023-42459 HIGH POC
7.5 Oct 16

Fast DDS is a C++ implementation of the DDS (Data Distribution Service) standard of the OMG (Object Management Group). R

CVE-2024-30916 HIGH POC
7.1 Apr 11

An issue was discovered in eProsima FastDDS v.2.14.0 and before, allows a local attacker to cause a denial of service (D

CVE-2025-62799 CRITICAL
9.8 Feb 03

Fast DDS (eProsima) has a heap buffer overflow in its C++ DDS implementation that allows remote attackers to execute cod

CVE-2024-30917 MEDIUM POC
5.5 Apr 11

An issue was discovered in eProsima FastDDS v.2.14.0 and before, allows a local attacker to cause a denial of service (D

CVE-2025-62600 HIGH
8.6 Feb 03

Fast DDS is a C++ implementation of the DDS (Data Distribution Service) standard of the OMG (Object Management Group ).

CVE-2025-62599 HIGH
8.6 Feb 03

Fast DDS is a C++ implementation of the DDS (Data Distribution Service) standard of the OMG (Object Management Group ).

CVE-2025-62603 HIGH
7.5 Feb 03

Fast DDS is a C++ implementation of the DDS (Data Distribution Service) standard of the OMG (Object Management Group ).

CVE-2025-64438 HIGH
7.5 Feb 03

Fast DDS is a C++ implementation of the DDS (Data Distribution Service) standard of the OMG (Object Management Group ).

Share

CVE-2025-67108 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy