CVE-2025-2240 in SmallRye
Summary
by MITRE • 03/12/2025
A flaw was found in Smallrye, where smallrye-fault-tolerance is vulnerable to an out-of-memory (OOM) issue. This vulnerability is externally triggered when calling the metrics URI. Every call creates a new object within meterMap and may lead to a denial of service (DoS) issue.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 05/24/2026
The vulnerability resides within the Smallrye fault tolerance implementation where an out-of-memory condition can be triggered through external manipulation of the metrics endpoint. This flaw represents a critical denial of service vulnerability that can be exploited by unauthorized actors to consume excessive system resources and potentially crash the application. The issue specifically manifests when the metrics URI is invoked repeatedly, creating a memory leak scenario that gradually depletes available heap space. The vulnerability has been classified as a memory leak or resource exhaustion issue that can be leveraged for service disruption attacks.
The technical root cause of this vulnerability lies in the improper management of metric objects within the internal meterMap data structure. Each invocation of the metrics endpoint results in the creation of new objects that are added to this map without proper cleanup or size limitations. This design flaw creates a cumulative memory allocation pattern where objects persist in memory indefinitely, leading to unbounded growth of the meterMap collection. The absence of garbage collection for these objects means that even after they are no longer needed, they continue to consume system resources, ultimately exhausting available memory. This behavior aligns with CWE-400, which categorizes resource exhaustion vulnerabilities, and represents a classic example of uncontrolled resource consumption in software systems.
The operational impact of this vulnerability extends beyond simple memory consumption to encompass complete service disruption and potential system instability. When the memory exhaustion occurs, applications utilizing Smallrye fault tolerance may experience application crashes, severe performance degradation, or complete unavailability of the metrics endpoint. Attackers can exploit this by repeatedly calling the metrics URI, causing a gradual but steady increase in memory usage until the system reaches its memory limits. This type of attack can be particularly devastating in containerized environments or cloud deployments where memory limits are strictly enforced, as it can lead to pod termination or service scaling issues. The vulnerability also creates opportunities for attackers to perform broader denial of service attacks against systems that rely on these metrics for monitoring and operational purposes.
Mitigation strategies for this vulnerability should focus on implementing proper resource management and rate limiting mechanisms. The most effective approach involves adding size limits to the meterMap collection and implementing automatic cleanup procedures for unused metric objects. Additionally, rate limiting should be implemented on the metrics endpoint to prevent excessive calls from a single source or across the entire system. Organizations should also consider implementing memory monitoring and alerting systems that can detect unusual memory consumption patterns and trigger automated responses. The implementation of proper garbage collection policies and memory cleanup routines will help prevent the accumulation of unused objects. Furthermore, security teams should review their monitoring configurations to ensure that metrics endpoints are properly protected and that access controls are in place to prevent unauthorized exploitation of this vulnerability. This vulnerability demonstrates the importance of proper resource management in distributed systems and aligns with ATT&CK technique T1499.004 for resource exhaustion attacks, where adversaries leverage memory leaks to disrupt system availability and compromise service integrity.