CVE-2025-2240

March 13, 2025, 8:15 p.m.

7.5
High

Description

A flaw was found in Smallrye, where smallrye-fault-tolerance is vulnerable to an out-of-memory (OOM) issue. This vulnerability is externally triggered when calling the metrics URI. Every call creates a new object within meterMap and may lead to a denial of service (DoS) issue.

Product(s) Impacted

Vendor Product Versions
Smallrye
  • Smallrye-fault-tolerance
  • *

Weaknesses

CWE-1325
Improperly Controlled Sequential Memory Allocation
The product manages a group of objects or resources and performs a separate memory allocation for each object, but it does not properly limit the total amount of memory that is consumed by all of the combined objects.

*CPE(s)

Type Vendor Product Version Update Edition Language Software Edition Target Software Target Hardware Other Information
a smallrye smallrye-fault-tolerance / / / / / / / /

References

https://access.redhat.com/security/cve/CVE-2025-2240
https://bugzilla.redhat.com/show_bug.cgi?id=2351452
https://github.com/advisories/GHSA-gfh6-3pqw-x2j4

Tags

secalert@redhat.com
CWE-1325
2025-03-12
CVE-2025-2240

CVSS Score

7.5 / 10

CVSS Data

  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Privileges Required: NONE
  • Scope: UNCHANGED
  • Confidentiality Impact: NONE
  • Integrity Impact: NONE
  • Availability Impact: HIGH
    • View Vector String

    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Date

  • Published: March 12, 2025, 3:15 p.m.
  • Last Modified: March 13, 2025, 8:15 p.m.

Status : Awaiting Analysis

CVE has been marked for Analysis. Normally once in this state the CVE will be analyzed by NVD staff within 24 hours.

More info

Source

secalert@redhat.com

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.