CVE-2025-2240
Published: 12 March 2025
Description
Adversaries may target resource intensive features of applications to cause a denial of service (DoS), denying availability to those applications.
Security Summary
CVE-2025-2240, published on 2025-03-12, is a vulnerability in the Smallrye fault-tolerance component (smallrye-fault-tolerance) that causes an out-of-memory (OOM) condition. The flaw is externally triggered by calling the metrics URI, where each request creates a new object in the meterMap, potentially leading to a denial-of-service (DoS) condition. It carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) and maps to CWE-1325.
Any unauthenticated attacker with network access to the affected metrics endpoint can exploit this vulnerability. Repeated calls to the URI enable unbounded object allocation in the meterMap, resulting in memory exhaustion and disruption of service availability, with no impact on confidentiality or integrity.
Red Hat has issued patches via errata RHSA-2025:3376, RHSA-2025:3541, and RHSA-2025:3543. Further details on the issue and remediation are documented in the Red Hat security advisory for CVE-2025-2240 and Bugzilla entry 2351452.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The vulnerability allows repeated unauthenticated requests to the metrics endpoint to trigger unbounded object allocation in meterMap, directly enabling Application Exhaustion Flood (T1499.003) to cause memory exhaustion and DoS with no other impacts.