CVE-2025-27421

CVE-2025-27421 is a critical goroutine leak vulnerability in the Server-Sent Events (SSE) implementation of the Abacus server, a highly scalable and stateless counting API. The flaw occurs when clients disconnect from the /stream endpoint, as the server fails to properly clean up resources and terminate associated goroutines due to improper channel cleanup in the event handling mechanism. This causes goroutines to remain blocked indefinitely, resulting in resource exhaustion characterized by high memory usage and the server eventually stopping acceptance of new SSE connections while continuing to run. The vulnerability affects Abacus versions prior to 1.4.0 and is mapped to CWE-400 (Uncontrolled Resource Consumption) and CWE-772 (Missing Release of Resource after Effective Lifetime), with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

Unauthenticated attackers with network access can exploit this vulnerability with low complexity and no user interaction. By repeatedly connecting to and then disconnecting from the /stream SSE endpoint, an attacker triggers the goroutine leak, progressively exhausting server resources. This achieves a denial-of-service condition, rendering the SSE functionality unavailable due to memory saturation and connection refusal, while the server process persists.

The vulnerability is addressed in Abacus version 1.4.0. Mitigation requires upgrading to this patched release. Additional details are available in the fix commit at https://github.com/JasonLovesDoggo/abacus/commit/898ff1204e11317cc161240b660e63eed5a72b33 and the GitHub security advisory at https://github.com/JasonLovesDoggo/abacus/security/advisories/GHSA-vh64-54px-qgf8.