Buffer Overflow in BACnet Protocol Stack Library by BACnet Stack
CVE-2025-66624

7.5HIGH

Key Information:

Vendor: Bacnet-stack
Status: Bacnet-stack
Vendor: CVE Published:; 5 December 2025

🔔 Create Bacnet-stack Vulnerability Alert

What is CVE-2025-66624?

The BACnet Protocol Stack library, which offers critical communication services for BACnet applications, contains a buffer overflow vulnerability in the npdu_is_expected_reply function. This flaw arises from insufficient verification of APDU byte existence prior to indexing, potentially causing out-of-bounds reads. While this can lead to a denial-of-service condition in specific builds, it may also result in undefined behavior on unprotected builds, impairing network communications. Users are strongly advised to upgrade to version 1.5.0.rc2 or later to mitigate these risks.

Affected Version(s)

bacnet-stack < 1.5.0.rc2

References

https://github.com/bacnet-stack/bacnet-stack/security/adv...

x_refsource_CONFIRM

https://github.com/bacnet-stack/bacnet-stack/commit/9378f...

x_refsource_MISC

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Dec 5, 2025
Vulnerability Reserved
Dec 5, 2025

JSON