CVE-2025-54349: 
NixOS vulnerability analysis and mitigation

CVE-2025-54349 affects iperf versions before 3.19.1, specifically involving an off-by-one error and resultant heap-based buffer overflow in the iperf_auth.c file. The vulnerability was discovered and reported by Han Lee from Apple Information Security and was publicly disclosed on July 25, 2025 (GitHub Release). The issue has been assigned a CVSS v3.1 base score of 6.5 (Medium) with vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L (NVD).

The vulnerability stems from an off-by-one error in the authentication mechanism within iperfauth.c. The issue specifically relates to improper memory allocation in the decryptrsa_message function, where the plaintext buffer was allocated without accounting for the NULL terminator. The fix involved adding an extra byte to the memory allocation with the comment '// Note: +1 for NULL' and modifying the plaintext length checking logic (GitHub Commit).

The heap-based buffer overflow vulnerability could potentially lead to memory corruption, which might result in program crashes or potential code execution. The CVSS scoring indicates low impacts across confidentiality, integrity, and availability, but the vulnerability's network accessibility makes it a significant security concern (NVD).

The vulnerability has been patched in iperf version 3.19.1. Users are strongly advised to upgrade to this version or later to address the security issue. The fix involves proper memory allocation in the authentication mechanism (GitHub Release).