CVE-2025-21591

A Buffer Access with Incorrect Length Value vulnerability in the jdhcpd daemon of Juniper Networks Junos OS, when DHCP snooping is enabled, allows an unauthenticated, adjacent, attacker to send a DHCP packet with a malformed DHCP option to cause jdhcp to crash creating a Denial of Service (DoS) condition.

Continuous receipt of these DHCP packets using the malformed DHCP Option will create a sustained Denial of Service (DoS) condition.

This issue affects Junos OS:

from 23.1 before 23.2R2-S3,
from 23.4 before 23.4R2-S3,
from 24.2 before 24.2R2.

This issue isn't applicable to any versions of Junos OS before 23.1R1.

This issue doesn't affect vSRX Series which doesn't support DHCP Snooping.

This issue doesn't affect Junos OS Evolved.

There are no indicators of compromise for this issue.

Published: Apr 9, 2025
Updated: Nov 16, 2025
CVE: CVE-2025-21591
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 7.4
AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H

CWEs:

CWE-805

Affected Software
References

Software	From	Fixed in
juniper / junos	23.1-r1	23.1-r1.x
juniper / junos	23.2	23.2.x
juniper / junos	23.2-r1	23.2-r1.x
juniper / junos	23.2-r1-s1	23.2-r1-s1.x
juniper / junos	23.2-r1-s2	23.2-r1-s2.x
juniper / junos	23.2-r2	23.2-r2.x
juniper / junos	23.2-r2-s1	23.2-r2-s1.x
juniper / junos	23.2-r2-s2	23.2-r2-s2.x
juniper / junos	23.4	23.4.x
juniper / junos	23.4-r1	23.4-r1.x
juniper / junos	23.4-r1-s1	23.4-r1-s1.x
juniper / junos	23.4-r1-s2	23.4-r1-s2.x
juniper / junos	23.4-r2	23.4-r2.x
juniper / junos	23.4-r2-s1	23.4-r2-s1.x
juniper / junos	23.4-r2-s2	23.4-r2-s2.x
juniper / junos	24.2	24.2.x
juniper / junos	24.2-r1	24.2-r1.x
juniper / junos	24.2-r1-s1	24.2-r1-s1.x
juniper / junos	24.2-r1-s2	24.2-r1-s2.x

https://supportportal.juniper.net/JSA96448

Vulnerability Database

324,311

CVE-2025-21591

Deep Security Visibility Without the Complexity