QwikSec

Security Database

CVE

CWE

Training

CVE-2025-53538

Published: Jul 22, 2025

Modified: Jul 23, 2025

PUBLISHED

CVSS v3.1

7.5

HIGH

Description

Suricata is a network IDS, IPS and NSM engine developed by the OISF (Open Information Security Foundation) and the Suricata community. In versions 7.0.10 and below and 8.0.0-beta1 through 8.0.0-rc1, mishandling of data on HTTP2 stream 0 can lead to uncontrolled memory usage, leading to loss of visibility. Workarounds include disabling the HTTP/2 parser, and using a signature like drop http2 any any -> any any (frame:http2.hdr; byte_test:1,=,0,3; byte_test:4,=,0,5; sid: 1;) where the first byte test tests the HTTP2 frame type DATA and the second tests the stream id 0. This is fixed in versions 7.0.11 and 8.0.0.

Vendor	Product	Versions
OISF	suricata	affected `< 7.0.11` affected `>= 8.0.0-beta1, < 8.0.0`

Weaknesses (CWE)

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

References

https://github.com/OISF/suricata/security/advisories/GHSA-qrr7-crgj-cmh3

x_refsource_CONFIRM

https://github.com/OISF/suricata/commit/1d6d331752e933c46aca0ae7a9679b27462246e3

x_refsource_MISC

https://github.com/OISF/suricata/commit/7fa88ea9e7d05e07a7864050cfd836b576669720

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.