CVE-2025-9019: 
NixOS vulnerability analysis and mitigation

A heap-based buffer overflow vulnerability has been discovered in tcpreplay version 4.5.1, specifically affecting the mask_cidr6 function in the cidr.c file of the tcpprep component. The vulnerability was identified in August 2025 and has been assigned CVE-2025-9019. The issue affects tcpreplay versions up to 4.5.1, with confirmation that it has been fixed in version 4.5.2-beta1 (NVD, GitHub Issue).

The vulnerability occurs due to insufficient bounds checking in the IPv6 CIDR mask processing logic. The issue manifests when the mask_cidr6 function attempts to read beyond allocated memory boundaries while processing malformed IPv6 addresses. The vulnerability is triggered through the include option processing path via parse_xX_str at line 89. Specifically, when memory is allocated via our_safe_strdup in doOptInclude for a 2-byte string, the function attempts to read 1 byte beyond the allocated region. The vulnerability has been assigned a CVSS v3.1 base score of 3.1 (Low) with vector AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L (GitHub Issue).

The exploitation of this vulnerability can lead to heap-based buffer overflow, potentially causing memory corruption and program crashes. The attack can be initiated remotely, though the complexity of exploitation is considered high. While the vulnerability affects availability, there is no direct impact on confidentiality or integrity (VulDB).

The vulnerability has been fixed in tcpreplay version 4.5.2-beta1. Users are advised to upgrade to this version or later to mitigate the vulnerability. The code maintainer has confirmed that the issue is resolved in the 4.5.2 release (GitHub Issue).