{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-06-24T13:57:27.894","vulnerabilities":[{"cve":{"id":"CVE-2025-66624","sourceIdentifier":"security-advisories@github.com","published":"2025-12-05T19:15:53.120","lastModified":"2026-06-17T09:57:07.407","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"BACnet Protocol Stack library provides a BACnet application layer, network layer and media access (MAC) layer communications services. Prior to 1.5.0.rc2, The npdu_is_expected_reply function in src/bacnet/npdu.c indexes request_pdu[offset+2/3/5] and reply_pdu[offset+1/2/4] without verifying that those APDU bytes exist. bacnet_npdu_decode() can return offset == 2 for a 2-byte NPDU, so tiny PDUs pass the version check and then get read out of bounds. On ASan/MPU/strict builds this is an immediate crash (DoS). On unprotected builds it is undefined behavior and can mis-route replies; RCE is unlikely because only reads occur, but DoS is reliable."},{"lang":"es","value":"La biblioteca de la pila de protocolos BACnet proporciona servicios de comunicación de capa de aplicación BACnet, capa de red y capa de acceso al medio (MAC). Versiones anteriores a 1.5.0.rc2, la función npdu_is_expected_reply en src/bacnet/npdu.c indexa request_pdu[offset+2/3/5] y reply_pdu[offset+1/2/4] sin verificar que esos bytes APDU existan. bacnet_npdu_decode() puede devolver offset == 2 para una NPDU de 2 bytes, por lo que las PDU pequeñas pasan la verificación de versión y luego se leen fuera de los límites. En compilaciones ASan/MPU/estrictas, esto es un fallo inmediato (DoS). En compilaciones desprotegidas, es un comportamiento indefinido y puede enrutar mal las respuestas; RCE es poco probable porque solo ocurren lecturas, pero DoS es fiable."}],"affected":[{"source":"security-advisories@github.com","affectedData":[{"vendor":"bacnet-stack","product":"bacnet-stack","versions":[{"version":"< 1.5.0.rc2","status":"affected"}]}]}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","baseScore":7.5,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":3.9,"impactScore":3.6}],"ssvcV203":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","ssvcData":{"timestamp":"2025-12-08T17:28:35.179529Z","id":"CVE-2025-66624","options":[{"exploitation":"poc"},{"automatable":"yes"},{"technicalImpact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Secondary","description":[{"lang":"en","value":"CWE-125"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:bacnetstack:bacnet_stack:1.5.0:rc1:*:*:*:*:*:*","matchCriteriaId":"2B47182E-6B7F-4C53-904A-EB37C9C0A439"}]}]}],"references":[{"url":"https://github.com/bacnet-stack/bacnet-stack/commit/9378f7d1e70169ebde4a5090bae7603703eadf48","source":"security-advisories@github.com","tags":["Patch"]},{"url":"https://github.com/bacnet-stack/bacnet-stack/security/advisories/GHSA-8wgw-5h6x-qgqg","source":"security-advisories@github.com","tags":["Exploit","Vendor Advisory"]}]}}]}