GHSA-66jq-2c23-2xh5

Опубликовано: 25 нояб. 2025

Источник: github

Github: Прошло ревью

CVSS3: 2.7

Описание

VictoriaMetrics' Snappy Decoder DoS Vulnerability is Causing OOM

Impact

Affected versions are vulnerable to DoS attacks because the snappy decoder ignored VictoriaMetrics request size limits allowing malformed blocks to trigger excessive memory use. This could lead to OOM errors and service instability. The fix enforces block-size checks based on MaxRequest limits.

Patches

Versions 1.129.1, 1.122.8, 1.110.23

Resources

Note

VictoriaMetrics' security model assumes its APIs are properly secured (e.g. via access control flags or a firewall); this advisory addresses malicious input that should not be possible under a correctly secured deployment.

Ссылки

Пакеты

Наименование

github.com/VictoriaMetrics/VictoriaMetrics

Затронутые версииВерсия исправления

>= 1.123.0, < 1.129.1

1.129.1

Наименование

github.com/VictoriaMetrics/VictoriaMetrics

Затронутые версииВерсия исправления

>= 1.111.0, < 1.122.8

1.122.8

Наименование

github.com/VictoriaMetrics/VictoriaMetrics

Затронутые версииВерсия исправления

>= 1.0.0, < 1.110.23

1.110.23

EPSS

Процентиль: 18%

0.00057

Низкий

2.7 Low

CVSS3

CVE ID

CVE-2025-65942

Дефекты

CWE-770

Связанные уязвимости

CVE-2025-65942

CVSS3: 2.7

nvd

2 месяца назад

VictoriaMetrics is a scalable solution for monitoring and managing time series data. In versions from 1.0.0 to before 1.110.23, from 1.111.0 to before 1.122.8, and from 1.123.0 to before 1.129.1, affected versions are vulnerable to DoS attacks because the snappy decoder ignored VictoriaMetrics request size limits allowing malformed blocks to trigger excessive memory use. This could lead to OOM errors and service instability. The fix enforces block-size checks based on MaxRequest limits. This issue has been patched in versions 1.110.23, 1.122.8, and 1.129.1.

EPSS

Процентиль: 18%

0.00057

Низкий

2.7 Low

CVSS3

CVE ID

CVE-2025-65942

Дефекты

CWE-770