Primary

Context

Suricata Detection Bypass Vulnerability via Crafted SYN Packets

Vulnerability

Patched

A detection bypass vulnerability has been identified in Suricata versions 7.0.11 and earlier, as well as 8.0.0. This vulnerability arises when crafted traffic sends multiple SYN packets with different sequence numbers within the same flow tuple. Such traffic can cause Suricata to overlook the TCP session, leading to a bypass of detection and logging in IDS mode. In IPS mode, this vulnerability causes the flow to be blocked.

Impact

In IDS mode, this vulnerability allows for a detection and logging bypass. In IPS mode, it causes the flow to be blocked.

Reproduction

The vulnerability can be reproduced by sending multiple SYN packets with different sequence numbers within the same flow tuple. This can be done using network traffic generation tools that allow for the manipulation of TCP packet details.

Remediation

Users can upgrade to Suricata versions 7.0.12 or 8.0.1 to address this vulnerability.

Added: Oct 1, 2025, 8:25 PM

Updated: Oct 1, 2025, 8:25 PM

Vulnerability Rating

Custom Algorithm

spread

2.4

impact

5.0

exploitability

5.7

remediation

7.7

relevance

0.6

threat

4.8

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

2.4

impact

5.0

exploitability

5.7

remediation

7.7

relevance

0.6

threat

4.8

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Suricata Detection Bypass Vulnerability via Crafted SYN Packets

Vulnerability

Impact

Reproduction

Remediation

Affected Products

OISF Suricata

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating