Skip to main content

Micro-XRCE-DDS Agent EUVDEUVD-2025-209606

| CVE-2025-63548 HIGH
Uncontrolled Resource Consumption (CWE-400)
2026-05-01 mitre
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
May 01, 2026 - 20:30 vuln.today
CVSS changed
May 01, 2026 - 19:22 NVD
7.5 (None) 7.5 (HIGH)
EUVD ID Assigned
May 01, 2026 - 18:00 euvd
EUVD-2025-209606
Analysis Generated
May 01, 2026 - 18:00 vuln.today
CVE Published
May 01, 2026 - 00:00 nvd
HIGH 7.5

DescriptionCVE.org

An issue in Eprosima Micro-XREC-DDS Agent v.3.0.1 allows a remote attacker to cause a denial of service via a packet specially crafted to bear a non-valid value in any Boolean field.

AnalysisAI

Remote denial of service in Eprosima Micro-XRCE-DDS Agent 3.0.1 allows unauthenticated network attackers to crash the DDS agent by sending malformed packets containing invalid boolean field values. The vulnerability is automatable (per SSVC) with proof-of-concept code publicly available, requiring no privileges or user interaction (CVSS AV:N/AC:L/PR:N/UI:N), making it trivial to exploit against internet-exposed DDS deployments. EPSS data not available but SSVC classifies as automatable with partial technical impact.

Technical ContextAI

Micro-XRCE-DDS (Extremely Resource Constrained Environments - Data Distribution Service) is a lightweight publish-subscribe middleware protocol used in IoT, robotics, and embedded systems for real-time data exchange. The Agent component acts as a bridge between XRCE clients and standard DDS networks. This vulnerability stems from improper input validation (CWE-400: Uncontrolled Resource Consumption) in the packet parsing logic. When processing XRCE protocol messages, the agent fails to validate boolean field values properly, allowing specially crafted packets with non-standard boolean representations (values other than 0x00 or 0x01) to trigger resource exhaustion or crash conditions. The affected serialization layer does not enforce strict type checking on incoming network data before processing, leading to undefined behavior when invalid boolean values are encountered during deserialization.

RemediationAI

Organizations should immediately review the vendor's GitHub issue tracker at https://github.com/eProsima/Micro-XRCE-DDS-Agent/issues/389 for official patch guidance, as no specific fix version is documented in available vulnerability data at time of analysis. Until a vendor-released patch is confirmed and deployed, implement network-layer compensating controls: restrict Micro-XRCE-DDS Agent network exposure using firewall rules to allow connections only from trusted client IP ranges, deploy the agent behind a VPN or private network segment isolated from the internet, and implement rate limiting on inbound XRCE protocol traffic to mitigate automated exploitation attempts. For critical deployments, consider placing a protocol-aware reverse proxy or DDS gateway in front of the agent to validate and sanitize boolean field values before forwarding packets (note: this requires deep packet inspection capability for XRCE protocol and may introduce latency unsuitable for real-time systems). Monitor agent process health and implement automated restart mechanisms to restore service quickly if crashes occur, though this does not prevent exploitation and may mask ongoing attacks. These mitigations reduce attack surface but do not eliminate the vulnerability-patching remains the only complete remediation once available.

Share

EUVD-2025-209606 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy