CVE-2025-59938 ‒ Heap buffer overflow in wazuh-analysisd

Description¶

Wazuh is a free and open source platform used for threat prevention, detection, and response. In versions >=3.8.0 through <4.11.0, wazuh-analysisd is vulnerable to a heap buffer overflow when parsing XML elements from Windows EventChannel messages.

Vulnerability¶

The wazuh server is vulnerable to a heap buffer overflow when parsing XML elements from Windows EventChannel messages.

The specific flaw is in the analysis engine service, which, by default, listens on TCP port 1514. Whenever the analysis engine receives a Windows event from an agent, it invokes the Windows decoder.

The bug can be triggered by sending a specially crafted XML message from an agent. By default, new agents can enrol themselves without authentication or requiring acceptance by an administrator. This allows an unauthenticated attacker to register a malicious agent to send malicious event packets.

PoC¶

The PoC triggers the bug by sending the XML message directly to the server’s local UNIX socket. However, the attack would also work over the network by sending the message from an agent.

• Start wazuh-analysisd: /var/ossec/bin/wazuh-analysisd -f
• Send input: python3 ./repr.py ./input.txt
• wazuh-analysisd crashes: Segmentation fault (core dumped)

repr.py:

import socket as s;
import sys


sock=s.socket(s.AF_UNIX, s.SOCK_DGRAM);
sock.connect("/var/ossec/queue/sockets/queue");
sock.send(open(sys.argv[1],"rb").read());

input.txt

Mitigations¶

• Update Wazuh (patched version: 4.11.0)
• Apply additional security options

Additional Details¶

• Vendor advisory

Timeline¶