CVE-2025-62291: 
strongSwan vulnerability analysis and mitigation

A critical vulnerability (CVE-2025-62291) was discovered in the strongSwan client's eap-mschapv2 plugin, affecting all versions since 4.2.12. The vulnerability was discovered by Xu Biang of HUST CSE and publicly disclosed on October 27, 2025. The issue relates to incorrect handling of EAP-MSCHAPv2 failure requests on the client side (StrongSwan Blog).

The vulnerability stems from improper length checking of EAP-MSCHAPv2 Failure Request packets in the client. The eap-mschapv2 plugin fails to correctly verify the packet length, leading to an integer underflow when the packet size is between 6 and 8 bytes. This underflow occurs during memory allocation and copying operations, potentially resulting in a heap-based buffer overflow. The issue carries a CVSS v3.1 Base Score of 8.1 (HIGH) with the vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H (NVD).

The vulnerability can lead to multiple severe consequences including system crashes resulting in denial of service, and potentially remote code execution. When exploited, an attacker could cause the strongSwan client to crash or possibly execute arbitrary code if a user or automated system connects to a malicious server (Ubuntu Security).

Several mitigation options are available: clients not using EAP authentication are not vulnerable; those using specific non-tunneling EAP methods (e.g., eap-tls or eap-md5) are safe; and the eap-mschapv2 plugin can be disabled if not required. The vulnerability is fixed in strongSwan 6.0.3, and patches are available for older versions. Additionally, compiling the plugin with optimization and -D_FORTIFY_SOURCE=3 prevents the buffer overflow, though DoS attacks remain possible (StrongSwan Blog).