CVE-2025-69255
Deserialization Panic in RustFS Metrics Endpoint Enables DoS
Publication date: 2026-01-07
Last updated on: 2026-01-07
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| rustfs | rustfs | From 1.0.0-alpha.13 (inc) to 1.0.0-alpha.78 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-755 | The product does not handle or incorrectly handles an exceptional condition. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by sending malformed gRPC GetMetrics requests to the RustFS gRPC endpoint (default TCP port 9000) using tools like grpcurl. An example command to reproduce the panic is to send an invalid or truncated rmp-serde payload with the required static authorization header 'authorization: rustfs rpc'. This will cause the handler thread to panic if the system is vulnerable. Monitoring for crashes or panics in the RustFS metrics service logs when such malformed requests are received can also help detect the vulnerability. [1]
Can you explain this vulnerability to me?
CVE-2025-69255 is a vulnerability in RustFS, a distributed object storage system, where a malformed gRPC GetMetrics request causes the server to panic and crash the handler thread. This happens because the code uses unwrap() on deserialization of client-supplied data without proper error handling, leading to a panic when the input is invalid or malformed. An attacker with network access and knowledge of a static authorization token can send such malformed requests to cause a remote denial of service by crashing the metrics endpoint handler. [1]
How can this vulnerability impact me? :
This vulnerability can cause a remote denial of service (DoS) by crashing the handler thread responsible for processing metrics requests. This interrupts the metrics service and may cause instability or crashes in the overall RustFS process depending on how runtime crash handling is configured. An attacker who can send malformed requests with the correct authorization token can disrupt monitoring and potentially affect the availability of the RustFS service. [1]
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability immediately, upgrade RustFS to version 1.0.0-alpha.78 or later, where the issue is patched. Additionally, remove or replace the static authorization token with a secure token set via the environment variable RUSTFS_GRPC_AUTH_TOKEN to enhance authentication security. Restrict network access to the gRPC port (default 9000) to trusted clients only. Applying these steps will prevent remote attackers from sending malformed requests that cause denial of service. [1, 2]