Introduction
Unexpected service interruptions and loss of web application security enforcement can have immediate operational and security consequences for any organization. On October 15 2025 F5 Networks disclosed a high-severity vulnerability affecting BIG-IP Advanced WAF and Application Security Manager (ASM) products that can cause the core bd process to terminate when processing certain malformed JSON schemas in security policies.
About F5 and BIG-IP: F5 Networks is a leading vendor in the application delivery and security market. Their BIG-IP product line is widely deployed in enterprise and critical infrastructure environments to provide load balancing, web application firewalling, and advanced security controls. The Advanced WAF and ASM modules are core to protecting web applications and APIs for thousands of organizations globally.
Technical Information
CVE-2025-54858 arises when a BIG-IP Advanced WAF or ASM security policy is configured with a JSON content profile that includes a malformed JSON schema. If this policy is applied to a virtual server, certain undisclosed HTTP request patterns can trigger uncontrolled recursion in the bd daemon's JSON schema validation logic. This results in excessive stack or memory usage and ultimately causes the bd process to crash.
The root cause is improper handling of recursive structures or circular references in JSON schemas. The bd process does not adequately bound or validate recursion depth when parsing and validating these schemas. When a triggering request is received, the process enters a recursive loop that exhausts system resources. The vulnerability is classified as CWE-674 (Uncontrolled Recursion).
The bd daemon is responsible for enforcing security policies on HTTP requests. Its termination leads to a temporary loss of security enforcement until the process restarts. This creates a window where protected applications may be exposed to attacks or unfiltered traffic.
The vulnerability only manifests when malformed JSON schemas are present in active security policies. Well-formed schemas or policies without JSON content profiles are not affected.
Affected Systems and Versions
- Products: F5 BIG-IP Advanced WAF and Application Security Manager (ASM)
- Affected versions: 17.5.0 through 17.5.1
- Vulnerable only when a security policy is configured with a JSON content profile containing a malformed JSON schema and applied to a virtual server
- Fixed in: 17.5.1.3 and 17.1.3
Vendor Security History
F5 has previously addressed vulnerabilities in the ASM and Advanced WAF components related to JSON processing and the bd daemon. Notable examples include:
- CVE-2020-27718 (JSON parameter parsing)
- CVE-2022-41836 and CVE-2022-26890 (bd daemon issues)
In October 2024 F5 experienced a major security incident involving theft of source code and vulnerability data by nation-state actors. This event has increased scrutiny of the vendor's security practices and response times. F5 has maintained a regular schedule of security notifications and timely patch releases but recurring issues in core components remain a concern.