CVE-2025-58447

Published: Sep 9, 2025Modified: Sep 17, 2025

9.8

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability: 3.9 / Impact: 5.9

Source: security-advisories@github.com (Secondary)

Description

rAthena is an open-source cross-platform massively multiplayer online role playing game (MMORPG) server. Versions prior to commit 2f5248b have a heap-based buffer overflow in the login server, remote attacker to overwrite adjacent session fields by sending a crafted `CA_SSO_LOGIN_REQ` with an oversized token length. This leads to immediate denial of service (crash) and it is possible to achieve remote code execution via heap corruption. Commit 2f5248b fixes the issue.

Affected (1)

Products: Rathena: Rathena

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Rathena Rathena	Before 2025-09-06

Related CWEs

Heap-based Buffer Overflow

A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc().

Out-of-bounds Write

The product writes data past the end, or before the beginning, of the intended buffer.

References (2)

https://github.com/rathena/rathena/commit/2f5248b9cd9a8c6b42422ddecfc4cc2cd0e69e4b

Source: security-advisories@github.com

Patch

https://github.com/rathena/rathena/security/advisories/GHSA-4p33-6xqr-cm6x

Source: security-advisories@github.com

Vendor Advisory

Timeline

No history available yet.