CVE-2025-65942

Sažetak

VictoriaMetrics is a scalable solution for monitoring and managing time series data. In versions from 1.0.0 to before 1.110.23, from 1.111.0 to before 1.122.8, and from 1.123.0 to before 1.129.1, affected versions are vulnerable to DoS attacks because the snappy decoder ignored VictoriaMetrics request size limits allowing malformed blocks to trigger excessive memory use. This could lead to OOM errors and service instability. The fix enforces block-size checks based on MaxRequest limits. This issue has been patched in versions 1.110.23, 1.122.8, and 1.129.1.

Reference

https://github.com/VictoriaMetrics/VictoriaMetrics/commit/51b44afd34d2c9a392d4ebedeeb5b4a7f5beca24
https://github.com/VictoriaMetrics/VictoriaMetrics/releases/tag/v1.110.23
https://github.com/VictoriaMetrics/VictoriaMetrics/releases/tag/v1.122.8
https://github.com/VictoriaMetrics/VictoriaMetrics/releases/tag/v1.129.1
https://github.com/VictoriaMetrics/VictoriaMetrics/security/advisories/GHSA-66jq-2c23-2xh5

CVSS

Base:	2.7
Impact:	1.4
Exploitability:	1.2

Pristup

Vektor	Složenost	Autentikacija
NETWORK	LOW	HIGH

Impact

Povjerljivost	Cjelovitost	Dostupnost
NONE	NONE	LOW

CVSS vektor

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L

Zadnje važnije ažuriranje

01-12-2025 - 15:39

Objavljeno

25-11-2025 - 23:15