CVE-2025-24356

Name of the Vulnerable Software and Affected Versions fastd versions prior to v23

Description fastd is a VPN daemon that tunnels IP packets and Ethernet frames over UDP. When receiving a data packet from an unknown IP address/port combination, fastd initiates a reconnect by sending a handshake packet. This "fast reconnect" avoids waiting for a session timeout until a new connection is established. Even a small UDP packet can trigger a larger handshake packet, resulting in a roughly 12-13 amplification factor. This amplification of UDP traffic could be used to facilitate a Distributed Denial of Service attack by sending data packets with a spoofed source address to fastd instances reachable on the internet.

Recommendations For fastd versions prior to v23, update to version v23 or later to resolve the issue. As a temporary workaround, consider restricting access to fastd instances to minimize the risk of exploitation. Avoid exposing fastd instances to the internet without proper security measures in place.