VIR Vulnerability Intelligence Relay

CVE-2025-61908

unknown
Published β€” Β· Modified β€”
πŸ’¬ Discuss on Community ✚ Propose mitigation
CVSS v3
β€”
CVSS v4 NEW
β€”
not yet in upstream
VIR risk
β€”

Description

Icinga 2 is an open source monitoring system. From 2.10.0 to before 2.15.1, 2.14.7, and 2.13.13, when creating an invalid reference, such as a reference to null, dereferencing results in a segmentation fault. This can be used by any API user with access to an API endpoint that allows specifying a filter expression to crash the Icinga 2 daemon. A fix is included in the following Icinga 2 versions: 2.15.1, 2.14.7, and 2.13.13.

Predictions

Exploit likelihood
20%
Patch ETA
β€”

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

Mitigation details

Source: Debian Security Tracker Β· View original β†— Β· DFSG

CVE-2025-61908 NameCVE-2025-61908 DescriptionIcinga 2 is an open source monitoring system. From 2.10.0 to before 2.15.1, 2.14.7, and 2.13.13, when creating an invalid reference, such as a reference to null, dereferencing results in a segmentation fault. This can be used by any API user with access to an API endpoint that allows specifying a filter expression to crash the Icinga 2 daemon. A fix is…

CVE-2025-61908

NameCVE-2025-61908
DescriptionIcinga 2 is an open source monitoring system. From 2.10.0 to before 2.15.1, 2.14.7, and 2.13.13, when creating an invalid reference, such as a reference to null, dereferencing results in a segmentation fault. This can be used by any API user with access to an API endpoint that allows specifying a filter expression to crash the Icinga 2 daemon. A fix is included in the following Icinga 2 versions: 2.15.1, 2.14.7, and 2.13.13.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
icinga2 (PTS)bullseye2.12.3-1vulnerable
bullseye (security)2.12.3-1+deb11u1vulnerable
bookworm2.13.6-2+deb12u2vulnerable
trixie2.14.6-1vulnerable
forky, sid2.16.1-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
icinga2source(unstable)2.15.1-1

Notes

[trixie] - icinga2 <no-dsa> (Minor issue)
[bookworm] - icinga2 <no-dsa> (Minor issue)
[bullseye] - icinga2 <postponed> (Minor issue, only exploitable by already authenticated users)
https://github.com/Icinga/icinga2/security/advisories/GHSA-v9jg-xqhj-f43g
https://github.com/Icinga/icinga2/commit/0dadce2b972f1d8d9f9b11f3a4eb9604b79cacb2 (v2.15.1)
https://github.com/Icinga/icinga2/commit/0d737e263a2244be07da85e5c5d6d914888255d4 (v2.14.7)
https://github.com/Icinga/icinga2/commit/b7549d09f64b05edb57d568a94e0df45d3b7cfd3 (v2.13.13)
https://icinga.com/blog/releasing-icinga-2-v2-15-1-2-14-7-and-2-13-13-and-icinga-db-web-v1-2-3-and-1-1-4/

Home - Debian Security - Source (Git)

Apply commands

text fix
Notes
[trixie] - icinga2 <no-dsa> (Minor issue)[bookworm] - icinga2 <no-dsa> (Minor issue)[bullseye] - icinga2 <postponed> (Minor issue, only exploitable by already authenticated users)https://github.com/Icinga/icinga2/security/advisories/GHSA-v9jg-xqhj-f43ghttps://github.com/Icinga/icinga2/commit/0dadce2b972f1d8d9f9b11f3a4eb9604b79cacb2 (v2.15.1)https://github.com/Icinga/icinga2/commit/0d737e263a2244be07da85e5c5d6d914888255d4 (v2.14.7)https://github.com/Icinga/icinga2/commit/b7549d09f64b05edb57d568a94e0df45d3b7cfd3 (v2.13.13)https://icinga.com/blog/releasing-icinga-2-v2-15-1-2-14-7-and-2-13-13-and-icinga-db-web-v1-2-3-and-1-1-4/

OS impact
OSVersionStatusFixed in
debian debianbookwormaffected
debian debianbullseyeaffected
debian debianforkyfixed2.15.1-1
debian debiansidfixed2.15.1-1
debian debiantrixieaffected
suse slesaffected

References

Community-verified mitigations for this CVE will appear above when contributors publish them.

Verify integrity in audit chain (admin only). AS-IS.