CVE-2025-30653 in Junos OSinfo

Summary

by MITRE • 04/09/2025

An Expired Pointer Dereference vulnerability in Routing Protocol Daemon (rpd) of Juniper Networks Junos OS and Junos OS Evolved allows an unauthenticated, adjacent attacker to cause Denial of Service (DoS).On all Junos OS and Junos OS Evolved platforms, when an MPLS Label-Switched Path (LSP) is configured with node-link-protection and transport-class, and an LSP flaps, rpd crashes and restarts. Continuous flapping of LSP can cause a sustained Denial of Service (DoS) condition.

This issue affects:

Junos OS:



* All versions before 22.2R3-S4,

* 22.4 versions before 22.4R3-S2,

* 23.2 versions before 23.2R2,

* 23.4 versions before 23.4R2.





Junos OS Evolved:



* All versions before 22.2R3-S4-EVO,

* 22.4-EVO versions before 22.4R3-S2-EVO,

* 23.2-EVO versions before 23.2R2-EVO,

* 23.4-EVO versions before 23.4R2-EVO.

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Analysis

by VulDB Data Team • 01/24/2026

The vulnerability described in CVE-2025-30653 represents a critical Expired Pointer Dereference flaw within the Routing Protocol Daemon (rpd) component of Juniper Networks Junos OS and Junos OS Evolved platforms. This issue manifests as a denial of service condition that can be exploited by unauthenticated adjacent attackers, making it particularly dangerous in network environments where physical or logical proximity to target systems is achievable. The vulnerability specifically impacts MPLS Label-Switched Path configurations when node-link-protection and transport-class parameters are implemented, creating a scenario where normal network operations can trigger system instability.

The technical root cause of this vulnerability lies in improper memory management within the rpd process when handling LSP flap events. When an MPLS LSP configured with node-link-protection and transport-class experiences a flap condition, the routing protocol daemon attempts to access memory locations that have already been freed or invalidated, resulting in a pointer dereference operation on expired memory. This memory access violation causes the rpd process to crash and subsequently restart, effectively disrupting routing operations and network connectivity. The flaw demonstrates characteristics consistent with CWE-416, which specifically addresses Use After Free conditions where program code attempts to access memory after it has been freed.

The operational impact of this vulnerability extends beyond simple service interruption to create sustained denial of service conditions that can severely impact network reliability and availability. Network administrators may observe continuous restart cycles of the rpd process when LSP flapping occurs repeatedly, leading to extended periods of routing instability. This is particularly concerning in production environments where MPLS traffic engineering is actively deployed, as the vulnerability can be triggered by legitimate network events such as link failures or routing convergence processes. The vulnerability's exploitation requires only adjacent network access, making it accessible to attackers who can position themselves within the same broadcast domain or network segment.

The affected platforms span multiple Junos OS and Junos OS Evolved release lines, with specific version boundaries indicating the scope of impacted systems. Organizations running Junos OS versions prior to 22.2R3-S4, 22.4R3-S2, 23.2R2, or 23.4R2, along with their corresponding Evolved variants, must address this vulnerability immediately. The vulnerability's presence in both traditional Junos OS and the newer Evolved platform demonstrates that the underlying memory management issue affects the core routing protocol implementation across Juniper's product portfolio. Network security teams should prioritize patching efforts to address this vulnerability as part of their ongoing vulnerability management programs.

Mitigation strategies should include immediate deployment of available patches from Juniper Networks, which address the memory management flaw in the rpd process. Network administrators should also implement monitoring solutions to detect LSP flap events that could trigger the vulnerability, allowing for proactive intervention before system crashes occur. Additional defensive measures include implementing network segmentation to limit adjacent access, configuring LSPs with alternative protection mechanisms that do not utilize node-link-protection when feasible, and establishing robust incident response procedures for rapid recovery from denial of service conditions. The vulnerability's classification under the ATT&CK framework would align with T1499.004 for Network Denial of Service, and potentially T1071.004 for Application Layer Protocol usage in routing protocol contexts, making it a critical target for both preventive and detective security controls.

Responsible

Juniper

Reservation

03/24/2025

Disclosure

04/09/2025

Moderation

accepted

CPE

ready

EPSS

0.00219

KEV

no

Activities

very low

Sources

Interested in the pricing of exploits?

See the underground prices here!