CVE-2025-24356: UDP traffic amplification via fastd's fast reconnect feature

First published: Mon Jan 27 2025(Updated: )

fastd is a VPN daemon which tunnels IP packets and Ethernet frames over UDP. When receiving a data packet from an unknown IP address/port combination, fastd will assume that one of its connected peers has moved to a new address and initiate a reconnect by sending a handshake packet. This "fast reconnect" avoids having to wait for a session timeout (up to ~90s) until a new connection is established. Even a 1-byte UDP packet just containing the fastd packet type header can trigger a much larger handshake packet (~150 bytes of UDP payload). Including IPv4 and UDP headers, the resulting amplification factor is roughly 12-13. By sending data packets with a spoofed source address to fastd instances reachable on the internet, this amplification of UDP traffic might be used to facilitate a Distributed Denial of Service attack. This vulnerability is fixed in v23.

Credit: security-advisories@github.com

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

• agent/weakness
• agent/title
• agent/references
• agent/type
• agent/description
• agent/first-publish-date
• collector/nvd-api
• source/NVD
• agent/author
• agent/severity
• agent/event
• agent/source
• collector/mitre-cve
• source/MITRE
• agent/last-modified-date
• agent/softwarecombine
• agent/tags
• agent/epss
• collector/epss-latest
• source/FIRST
• agent/guess-ai
• agent/software-canonical-lookup
• agent/software-canonical-lookup-request
• vendor/fastd
• canonical/fastd