CVE-2025-55181
Dec. 3, 2025, 1:15 a.m.
5.3
Medium
Description
Sending an HTTP request/response body with greater than 2^31 bytes triggers an infinite loop in proxygen::coro::HTTPQuicCoroSession which blocks the backing event loop and unconditionally appends data to a std::vector per-loop iteration. This issue leads to unbounded memory growth and eventually causes the process to run out of memory.
Product(s) Impacted
| Vendor | Product | Versions |
|---|---|---|
|
|
Weaknesses
Common security weaknesses mapped to this vulnerability.
CWE-834
Excessive Iteration
The product performs an iteration or loop without sufficiently limiting the number of times that the loop is executed.
*CPE(s)
Affected systems and software identified for this CVE.
| Type | Vendor | Product | Version | Update | Edition | Language | Software Edition | Target Software | Target Hardware | Other Information |
|---|---|---|---|---|---|---|---|---|---|---|
| a | proxygen | / | / | / | / | / | / | / | / |
Tags
CVSS Score
CVSS Data - 3.1
- Attack Vector: NETWORK
- Attack Complexity: LOW
- Privileges Required: NONE
- Scope: UNCHANGED
- Confidentiality Impact: NONE
- Integrity Impact: NONE
- Availability Impact: LOW
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Timeline
Published: Dec. 2, 2025, 10:16 p.m.
Last Modified: Dec. 3, 2025, 1:15 a.m.
Last Modified: Dec. 3, 2025, 1:15 a.m.
Status : Received
CVE has been recently published to the CVE List and has been received by the NVD.
More infoSource
cve-assign@fb.com
*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.