Fluid Attacks Database

Description

Suricata is a network IDS, IPS and NSM engine developed by the OISF (Open Information Security Foundation) and the Suricata community. Prior to versions 7.0.13 and 8.0.2, working with large buffers in Lua scripts can lead to a stack overflow. Users of Lua rules and output scripts may be affected when working with large buffers. This includes a rule passing a large buffer to a Lua script. This issue has been patched in versions 7.0.13 and 8.0.2. A workaround for this issue involves disabling Lua rules and output scripts, or making sure limits, such as stream.depth.reassembly and HTTP response body limits (response-body-limit), are set to less than half the stack size.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 14	suricata	=1:7.0.10-1 \|\| =1:7.0.11-1 \|\| =1:7.0.11-1~bpo13+1 \|\| =1:8.0.0-1~exp1 \|\| =1:8.0.0-1~exp2 \|\| =1:8.0.0-1~exp4 \|\| =1:8.0.0-1~exp5 \|\| =1:8.0.1-1 \|\| =1:8.0.1-2 \|\| =1:8.0.1-3 \|\| =1:8.0.1-3~bpo13+1 \|\| =1:8.0.2-1~bpo13+1 \|\| >=0 <1:8.0.2-1	1:8.0.2-1
debian 11	suricata	=1:6.0.1-3 \|\| =1:6.0.1-3+deb11u1 \|\| =1:6.0.10-1 \|\| =1:6.0.10-1~bpo11+1 \|\| =1:6.0.13-1 \|\| =1:6.0.2-1~exp1 \|\| =1:6.0.3-1 \|\| =1:6.0.3-1~exp1 \|\| =1:6.0.3-1~exp2 \|\| =1:6.0.3-2 \|\| =1:6.0.3-2~bpo11+1 \|\| =1:6.0.4-1 \|\| =1:6.0.4-2 \|\| =1:6.0.4-2~bpo10+1 \|\| =1:6.0.4-2~bpo11+1 \|\| =1:6.0.4-3 \|\| =1:6.0.5-1 \|\| =1:6.0.5-2 \|\| =1:6.0.5-2~bpo10+1 \|\| =1:6.0.5-2~bpo11+1 \|\| =1:6.0.5-3 \|\| =1:6.0.6-1 \|\| =1:6.0.6-1~bpo10+1 \|\| =1:6.0.6-1~bpo11+1 \|\| =1:6.0.6-2 \|\| =1:6.0.8-1 \|\| =1:6.0.8-1~bpo11+1 \|\| =1:6.0.9-1 \|\| =1:6.0.9-1~bpo11+1 \|\| =1:7.0.0-1 \|\| =1:7.0.0-2 \|\| =1:7.0.0-2~bpo12+1 \|\| =1:7.0.1-1 \|\| =1:7.0.10-1 \|\| =1:7.0.10-1~bpo12+1 \|\| =1:7.0.11-1 \|\| =1:7.0.11-1~bpo13+1 \|\| =1:7.0.2-1 \|\| =1:7.0.2-1~bpo12+1 \|\| =1:7.0.2-2 \|\| =1:7.0.2-2~exp1 \|\| =1:7.0.2-2~exp2 \|\| =1:7.0.3-1 \|\| =1:7.0.3-1~bpo12+1 \|\| =1:7.0.4-1 \|\| =1:7.0.5-1 \|\| =1:7.0.5-2~bpo12+1 \|\| =1:7.0.6-1 \|\| =1:7.0.6-1~bpo12+1 \|\| =1:7.0.6-2~exp1 \|\| =1:7.0.7-1 \|\| =1:7.0.7-1~bpo12+1 \|\| =1:7.0.8-1 \|\| =1:7.0.8-1~bpo12+1 \|\| =1:7.0.8-2 \|\| =1:7.0.9-1 \|\| =1:8.0.0-1~exp1 \|\| =1:8.0.0-1~exp2 \|\| =1:8.0.0-1~exp4 \|\| =1:8.0.0-1~exp5 \|\| =1:8.0.1-1 \|\| =1:8.0.1-2 \|\| =1:8.0.1-3 \|\| =1:8.0.1-3~bpo13+1 \|\| =1:8.0.2-1 \|\| =1:8.0.2-1~bpo13+1 \|\| =1:8.0.3-1 \|\| =1:8.0.3-1~bpo13+1 \|\| =1:8.0.3-2~exp1 \|\| =1:8.0.4-1 \|\| =1:8.0.4-1~bpo13+1	-
debian 13	suricata	=1:7.0.10-1 \|\| =1:7.0.10-1+deb13u1 \|\| >=0 <1:7.0.10-1+deb13u2	1:7.0.10-1+deb13u2

Aliases

1. CVE-2025-643442. NVD-2025-643443. OSV-DEBIAN-2025-643444. OSV-2025-643445. SECURITY-TRACKER-CVE-2025-64344

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.