Introduction - Engaging opening that highlights real impact and significance
Unexpected service interruptions on critical F5 BIG-IP infrastructure can immediately disrupt application delivery, trigger failover events, and impact user experience. A buffer overflow in the Traffic Management Microkernel (TMM) triggered by specific iRule configurations exposes organizations to targeted denial of service, especially in environments leveraging custom Node.js extensions.
About F5 Networks: F5 is a leading provider of application delivery controllers and security appliances, with its BIG-IP platform widely deployed in enterprise, service provider, and cloud environments. The extensibility of BIG-IP through iRules and iRules LX is a key feature, but also introduces complex attack surfaces.
Technical Information
CVE-2025-53474 is a buffer overflow vulnerability (CWE-120) in the F5 BIG-IP Traffic Management Microkernel (TMM). The issue arises when a virtual server is configured with an iRule that uses the ILX::call command to invoke Node.js extensions through iRules LX. Under certain undisclosed traffic conditions, improper input validation allows data to be copied into fixed-size buffers without adequate bounds checking. This classic buffer overflow can corrupt memory and causes TMM to terminate unexpectedly, resulting in immediate service disruption and triggering failover in clustered deployments.
The vulnerability specifically affects the communication path between the TCL-based iRule execution in TMM and the Node.js extension process. When data passed from the iRule to the extension (or vice versa) exceeds the expected buffer size, the overflow occurs. The root cause is a lack of input size validation during buffer copy operations, as described in CWE-120. No public code snippets or exploit details are available.
Affected Systems and Versions (MUST BE SPECIFIC)
- Products: F5 BIG-IP
- Component: Traffic Management Microkernel (TMM) with iRules using ILX::call (iRules LX)
- Affected Versions:
- Confirmed fixed in BIG-IP version 17.5.1.3 (release notes)
- Vulnerability affects earlier versions where iRules using ILX::call are configured
- Only systems with iRules that invoke Node.js extensions via ILX::call are vulnerable
- Configuration: Only virtual servers with iRules using ILX::call are affected. Default configurations or systems without iRules LX are not vulnerable.
Vendor Security History
F5 has previously addressed multiple vulnerabilities in the TMM component, including buffer overflows and denial of service conditions. For example, bug ID 884801-12 (fixed in 17.5.1.3) describes similar TMM crash scenarios involving ILX::call. F5's quarterly security notifications and advisories provide timely information and patches for critical vulnerabilities. The extensibility of BIG-IP through custom code paths (such as iRules LX) has led to recurring security issues that require careful configuration and prompt patching.