CVE-2025-59149: 
Suricata vulnerability analysis and mitigation

Suricata version 8.0.0 contains a vulnerability where rules using the keyword ldap.responses.attribute_type with transforms can lead to a stack buffer overflow during Suricata startup or during a rule reload. The vulnerability was discovered in September 2025 and assigned CVE-2025-59149. The issue affects Suricata version 8.0.0 and has been fixed in version 8.0.1 (Suricata Release).

The vulnerability is caused by the ShortenString function not properly handling a buffer of size 0, which can result in a stack-based buffer overflow condition. The issue specifically occurs when processing rules that use the ldap.responses.attribute_type keyword (which is notably long) in combination with transforms. The vulnerability has been assigned a CVSS v3.1 base score of 6.2 (Medium) with vector string CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, indicating local attack vector, low attack complexity, no privileges required, and high impact on availability (GitHub Advisory).

The vulnerability primarily affects system availability, with no direct impact on confidentiality or integrity. When exploited, it can cause a stack buffer overflow during Suricata startup or rule reload operations, potentially leading to system instability or crashes (GitHub Advisory).

The primary mitigation is to update to Suricata version 8.0.1 which contains the fix for this vulnerability. As a temporary workaround, users can disable rules that use ldap.responses.attribute_type keyword with transforms. The fix has been implemented through hardening the string shortener function, as evidenced by the patch commit (GitHub Commit).