7.5

CVSS Score

3.1

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-68388

CVE-2025-68388: Elasticsearch Packetbeat has Excessive Allocation of Memory and CPU via Malicious IPv4 Fragments

Allocation of resources without limits or throttling (CWE-770) allows an unauthenticated remote attacker to cause excessive allocation (CAPEC-130) of memory and CPU via the integration of malicious IPv4 fragments, leading to denial-of-service in Packetbeat.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2025-68388

CVE-2025-68388:

7.5

CVSS Score

3.1

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
github.com/elastic/beats	go	>= 8.6.0, < 8.19.9	8.19.9
github.com/elastic/beats	go	>= 9.0.0, < 9.1.9	9.1.9
github.com/elastic/beats	go	>= 9.2.0, < 9.2.3	9.2.3
github.com/elastic/beats/v7	go	< 7.0.0-alpha2.0.20251209162832-28cfc80d2f4e	7.0.0-alpha2.0.20251209162832-28cfc80d2f4e

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability lies in Packetbeat's IPv4 fragment reassembly logic, which could be exploited to cause a denial-of-service through memory and CPU exhaustion. The root cause was in the decoder.fragmentCache.add function, which lacked critical bounds checks. An unauthenticated remote attacker could send a stream of crafted IPv4 fragments that would be stored in a cache without any limits on the number of fragment sets or the number of fragments per set. The cache was also keyed only by the 16-bit fragment ID, making it possible for an attacker to cause hash collisions and inject fragments into reassembly queues for legitimate traffic.

The decoder.Decoder.OnPacket function serves as the entry point for this vulnerability, as it's the top-level function that receives and processes the malicious packets before passing them to the flawed add method. Furthermore, the old decoder.fragmentCache.purge function had an inefficient garbage collection mechanism, which worsened the memory leak by failing to clean up stale fragments in a timely manner.

The patch addresses these issues by:

Introducing strict limits (fragmentMaxSets, fragmentMaxPerFlow, ipMaxLength) within the add function to cap memory usage.
Changing the fragment cache key to a struct (fragmentKey) that includes source/destination IP, protocol, and ID, thus preventing cross-flow fragment injection.
Replacing the purge logic with a more efficient maybePurge function that runs periodically, ensuring timely cleanup of expired fragments.

Vulnerable functions

decoder.fragmentCache.add

packetbeat/decoder/decoder.go

This function is responsible for adding new IPv4 fragments to a cache for reassembly. The vulnerable version of this function did not limit the number of fragments or fragment sets it would store, nor did it properly validate the total size. An attacker could send a high volume of crafted fragments, causing the cache to grow indefinitely and leading to memory exhaustion and a denial-of-service. The cache was also keyed only by the fragment ID, allowing an attacker to inject fragments into legitimate streams.

decoder.Decoder.OnPacket

packetbeat/decoder/decoder.go

This is the main packet processing function in the decoder. It receives all incoming packets and is responsible for identifying and handling IPv4 fragments by calling `fragmentCache.add`. When a malicious stream of fragmented packets is received, this function orchestrates their processing, directly leading to the vulnerable `add` function being called repeatedly, triggering the excessive resource allocation.

decoder.fragmentCache.purge

packetbeat/decoder/decoder.go

This function was responsible for cleaning up expired fragments from the cache. The original implementation was inefficient and could fail to purge stale fragments effectively, especially when fragments were missing. This exacerbated the memory exhaustion issue, as the cache would not only grow due to the lack of limits in `add` but also retain old, incomplete fragment sets for longer than necessary.

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

7.5

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2025-68388: Elasticsearch Packetbeat has Excessive Allocation of Memory and CPU via Malicious IPv4 Fragments

CVE-2025-68388:

7.5

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

7.5

7.5

CVE-2025-68388: Elasticsearch Packetbeat has Excessive Allocation of Memory and CPU via Malicious IPv4 Fragments

Technical Details

Basic Information

Basic Information

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI