eProsima Fast-DDS CVE-2025-67108
CRITICALSeverity by source
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N
Bypassing revocation requires a previously-issued (now revoked) credential and a security-enabled domain, so PR:L and AC:H; scope changes as the access-control component's failure exposes other domain participants, with high C/I and no availability impact.
Primary rating from Vendor (mitre).
CVSS VectorVendor: mitre
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N
Lifecycle Timeline
1DescriptionCVE.org
eProsima Fast-DDS v3.3 was discovered to contain improper validation for ticket revocation, resulting in insecure communications and connections.
AnalysisAI
Improper validation of permissions/ticket revocation in eProsima Fast-DDS 3.3.0 allows revoked or no-longer-valid security credentials to be accepted, permitting unauthorized participants to join a secured DDS domain and exchange data over connections that should have been refused. The flaw sits in the DDS Security access-control layer (Permissions handling) and undermines the confidentiality and integrity guarantees of an otherwise authenticated domain. Rated CVSS 10.0 with a scope change, but EPSS is low (0.30%, 22th percentile) and there is no public exploit identified at time of analysis, so real-world risk is narrower than the base score implies.
Technical ContextAI
Fast-DDS is eProsima's C++ implementation of the OMG Data Distribution Service (DDS) real-time publish/subscribe middleware, most widely known as the default RMW middleware for ROS 2. Its DDS Security plugins provide authentication, access control, and cryptographic protection between domain participants; access control relies on signed Permissions and Governance documents that carry validity windows and can be revoked. The reference to src/cpp/security/accesscontrol/Permissions.cpp indicates the defect lives in how the access-control plugin evaluates permission/ticket revocation. The assigned weakness, CWE-298 (Improper Validation of Certificate Expiration), maps to this root cause: the code fails to correctly reject credentials whose revocation/expiration state should bar them, so stale or revoked tickets are honored and 'insecure communications and connections' result.
RemediationAI
No vendor-released patched version is identified in the provided data, so a specific fixed release cannot be cited; monitor eProsima's Fast-DDS GitHub releases and http://fast-dds.com for a security update covering the Permissions/access-control revocation check and upgrade as soon as a fixed 3.3.x (or later) build is published. As compensating controls until a patch is applied: rotate and reissue the Permissions/Governance CA and all participant permissions so that revoked credentials are no longer merely revoked but cryptographically superseded (trade-off: requires redistributing signed permissions to every participant and causes downtime for the domain); tighten the Governance policy to shorten permissions validity windows so stale tickets expire quickly (trade-off: more frequent credential reissuance overhead); and network-isolate the DDS domain to trusted segments and restrict RTPS discovery/traffic (typically UDP 7400-7500 range) to known participants via firewall/allowlisting so an attacker holding a revoked ticket cannot reach the domain (trade-off: breaks dynamic discovery and cross-subnet participants). Confirm the exact fix version from eProsima before relying on an upgrade claim.
Remote denial of service in eProsima Fast-DDS v3.3.0 allows unauthenticated network attackers to crash affected processe
FastDDS is a C++ implementation of the DDS (Data Distribution Service) standard of the OMG (Object Management Group). Ra
FastDDS is a C++ implementation of the DDS (Data Distribution Service) standard of the OMG (Object Management Group). Ra
eprosima Fast DDS is a C++ implementation of the Data Distribution Service standard of the Object Management Group. Rate
Fast DDS is a C++ implementation of the DDS (Data Distribution Service) standard of the OMG (Object Management Group). R
An issue was discovered in eProsima FastDDS v.2.14.0 and before, allows a local attacker to cause a denial of service (D
Fast DDS (eProsima) has a heap buffer overflow in its C++ DDS implementation that allows remote attackers to execute cod
An issue was discovered in eProsima FastDDS v.2.14.0 and before, allows a local attacker to cause a denial of service (D
Fast DDS is a C++ implementation of the DDS (Data Distribution Service) standard of the OMG (Object Management Group ).
Fast DDS is a C++ implementation of the DDS (Data Distribution Service) standard of the OMG (Object Management Group ).
Fast DDS is a C++ implementation of the DDS (Data Distribution Service) standard of the OMG (Object Management Group ).
Fast DDS is a C++ implementation of the DDS (Data Distribution Service) standard of the OMG (Object Management Group ).
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today