CVE-2025-52964

Summary

A Reachable Assertion vulnerability in the Routing Protocol Daemon (rpd) of Juniper Networks Junos OS and Junos OS Evolved allows an unauthenticated, network-based attacker to cause a Denial of Service (DoS).

When the device receives a specific BGP UPDATE packet, the rpd crashes and restarts. Continuous receipt of this specific packet will cause a sustained DoS condition.

For the issue to occur, BGP multipath with "pause-computation-during-churn" must be configured on the device, and the attacker must send the paths via a BGP UPDATE from a established BGP peer.

This issue affects: Junos OS:

  • All versions before 21.4R3-S7,
  • from 22.3 before 22.3R3-S3,
  • from 22.4 before 22.4R3-S5,
  • from 23.2 before 23.2R2,
  • from 23.4 before 23.4R2.

Junos OS Evolved:

  • All versions before 21.4R3-S7-EVO,
  • from 22.3 before 22.3R3-S3-EVO,
  • from 22.4 before 22.4R3-S5-EVO,
  • from 23.2 before 23.2R2-EVO,
  • from 23.4 before 23.4R2-EVO.

Affected Software

VendorProductVersion RangeStatus
Juniper NetworksJunos OS0 < 21.4R3-S7affected
Juniper NetworksJunos OS22.3 < 22.3R3-S3affected
Juniper NetworksJunos OS22.4 < 22.4R3-S5affected
Juniper NetworksJunos OS23.2 < 23.2R2affected
Juniper NetworksJunos OS23.4 < 23.4R2affected
Juniper NetworksJunos OS22.1 < 22.1*affected
Juniper NetworksJunos OS22.2 < 22.2*affected
Juniper NetworksJunos OS Evolved0 < 21.4R3-S7-EVOaffected
Juniper NetworksJunos OS Evolved22.3 < 22.3R3-S3-EVOaffected
Juniper NetworksJunos OS Evolved22.4 < 22.4R3-S5-EVOaffected
Juniper NetworksJunos OS Evolved23.2 < 23.2R2-EVOaffected
Juniper NetworksJunos OS Evolved23.4 < 23.4R2-EVOaffected

Weaknesses

  • CWE-617: CWE-617 Reachable Assertion

Workarounds

This issue can be mitigated by disabling the multipath computation pause command "pause-computation-during-churn".

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: partial

References