CVE-2025-65942
BaseFortify
Publication date: 2025-11-25
Last updated on: 2025-11-25
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| victoriametrics | victoriametrics | 1.122.8 |
| victoriametrics | victoriametrics | 1.110.23 |
| victoriametrics | victoriametrics | 1.0.0 |
| victoriametrics | victoriametrics | 1.129.1 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-770 | The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in VictoriaMetrics occurs because the snappy decoder does not enforce request size limits, allowing malformed data blocks to cause excessive memory usage. This can lead to out-of-memory (OOM) errors and instability in the service. The issue affects certain versions before specific patches and has been fixed by enforcing block-size checks based on maximum request limits.
How can this vulnerability impact me? :
The vulnerability can cause denial of service (DoS) by triggering excessive memory consumption, leading to out-of-memory errors and service instability. This can disrupt monitoring and management of time series data, potentially impacting system availability.
What immediate steps should I take to mitigate this vulnerability?
Upgrade VictoriaMetrics to a patched version: 1.110.23, 1.122.8, or 1.129.1 or later. These versions include fixes that enforce block-size checks based on MaxRequest limits to prevent excessive memory use and DoS attacks.