CVE-2025-69255
Unknown Unknown - Not Provided
Deserialization Panic in RustFS Metrics Endpoint Enables DoS

Publication date: 2026-01-07

Last updated on: 2026-01-07

Assigner: GitHub, Inc.

Description
RustFS is a distributed object storage system built in Rust. In versions 1.0.0-alpha.13 to 1.0.0-alpha.77, a malformed gRPC GetMetrics request causes get_metrics to unwrap() failed deserialization of metric_type/opts, panicking the handler thread and enabling remote denial of service of the metrics endpoint. This issue has been patched in version 1.0.0-alpha.78.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-07
Last Modified
2026-01-07
Generated
2026-06-16
AI Q&A
2026-01-07
EPSS Evaluated
2026-06-14
NVD
CVE-2025-69255
EUVD
EUVD-2026-1161
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
rustfs rustfs From 1.0.0-alpha.13 (inc) to 1.0.0-alpha.78 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-755 The product does not handle or incorrectly handles an exceptional condition.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Detection Guidance

This vulnerability can be detected by sending malformed gRPC GetMetrics requests to the RustFS gRPC endpoint (default TCP port 9000) using tools like grpcurl. An example command to reproduce the panic is to send an invalid or truncated rmp-serde payload with the required static authorization header 'authorization: rustfs rpc'. This will cause the handler thread to panic if the system is vulnerable. Monitoring for crashes or panics in the RustFS metrics service logs when such malformed requests are received can also help detect the vulnerability. [1]

Executive Summary

CVE-2025-69255 is a vulnerability in RustFS, a distributed object storage system, where a malformed gRPC GetMetrics request causes the server to panic and crash the handler thread. This happens because the code uses unwrap() on deserialization of client-supplied data without proper error handling, leading to a panic when the input is invalid or malformed. An attacker with network access and knowledge of a static authorization token can send such malformed requests to cause a remote denial of service by crashing the metrics endpoint handler. [1]

Impact Analysis

This vulnerability can cause a remote denial of service (DoS) by crashing the handler thread responsible for processing metrics requests. This interrupts the metrics service and may cause instability or crashes in the overall RustFS process depending on how runtime crash handling is configured. An attacker who can send malformed requests with the correct authorization token can disrupt monitoring and potentially affect the availability of the RustFS service. [1]

Mitigation Strategies

To mitigate this vulnerability immediately, upgrade RustFS to version 1.0.0-alpha.78 or later, where the issue is patched. Additionally, remove or replace the static authorization token with a secure token set via the environment variable RUSTFS_GRPC_AUTH_TOKEN to enhance authentication security. Restrict network access to the gRPC port (default 9000) to trusted clients only. Applying these steps will prevent remote attackers from sending malformed requests that cause denial of service. [1, 2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-69255. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart