CVE-2025-2240
📋 TL;DR
CVE-2025-2240 is a memory exhaustion vulnerability in Smallrye Fault Tolerance where repeated calls to the metrics endpoint create unbounded memory allocations, leading to denial of service. This affects applications using Smallrye Fault Tolerance with metrics enabled. Attackers can trigger this remotely without authentication.
💻 Affected Systems
- Smallrye Fault Tolerance
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete application crash and unavailability due to out-of-memory conditions, requiring manual intervention to restart services.
Likely Case
Progressive performance degradation leading to service disruption and potential cascading failures in dependent systems.
If Mitigated
Limited impact with proper monitoring and resource limits, though some performance degradation may still occur during attacks.
🎯 Exploit Status
Exploitation is straightforward - repeated HTTP requests to the metrics endpoint. No special tools or techniques required.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check Red Hat advisories for specific fixed versions
Vendor Advisory: https://access.redhat.com/security/cve/CVE-2025-2240
Restart Required: Yes
Instructions:
1. Review Red Hat advisories RHSA-2025:3376, RHSA-2025:3541, RHSA-2025:3543. 2. Update Smallrye Fault Tolerance to patched version. 3. Restart affected applications. 4. Verify metrics endpoint behavior.
🔧 Temporary Workarounds
Disable metrics endpoint
allDisable or restrict access to the Smallrye metrics endpoint to prevent exploitation
Configure application properties to disable metrics: smallrye.metrics.enabled=false
Rate limit metrics endpoint
allImplement rate limiting or request throttling on the metrics URI
Use web server or application firewall to limit requests to /metrics endpoints
🧯 If You Can't Patch
- Implement network-level access controls to restrict metrics endpoint access
- Deploy memory monitoring and alerting to detect abnormal memory consumption patterns
🔍 How to Verify
Check if Vulnerable:
Check if application uses Smallrye Fault Tolerance with metrics enabled and version is unpatchedCheck Version:
Check application dependencies for Smallrye Fault Tolerance versionVerify Fix Applied:
Verify Smallrye version is updated per Red Hat advisories and test metrics endpoint for memory stability📡 Detection & Monitoring
Log Indicators:
- Repeated access to metrics endpoints
- OutOfMemoryError in application logs
- High memory usage alerts
Network Indicators:
- High volume of requests to /metrics endpoints
- Abnormal traffic patterns to metrics URIs
SIEM Query:
source="application.logs" AND ("OutOfMemoryError" OR "metrics" AND status=200) | stats count by src_ip