CVE-2025-65942
📋 TL;DR
VictoriaMetrics versions 1.0.0-1.110.22, 1.111.0-1.122.7, and 1.123.0-1.129.0 are vulnerable to denial-of-service attacks where malformed snappy-compressed blocks bypass request size limits, causing excessive memory consumption and potential service crashes. This affects all deployments using vulnerable versions of VictoriaMetrics for time series monitoring.
💻 Affected Systems
- VictoriaMetrics
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete service outage due to out-of-memory errors, disrupting monitoring capabilities and potentially affecting dependent systems.
Likely Case
Service instability with intermittent crashes or degraded performance during attacks.
If Mitigated
Minimal impact with proper request filtering and resource limits in place.
🎯 Exploit Status
Attack requires crafting malformed snappy-compressed blocks but no authentication needed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.110.23, 1.122.8, or 1.129.1
Vendor Advisory: https://github.com/VictoriaMetrics/VictoriaMetrics/security/advisories/GHSA-66jq-2c23-2xh5
Restart Required: Yes
Instructions:
1. Identify current VictoriaMetrics version. 2. Upgrade to patched version (1.110.23, 1.122.8, or 1.129.1). 3. Restart VictoriaMetrics service. 4. Verify fix with version check.
🔧 Temporary Workarounds
Rate Limiting
allImplement request rate limiting to reduce impact of DoS attempts.
# Use reverse proxy like nginx with rate limiting
limit_req_zone $binary_remote_addr zone=vm_zone:10m rate=10r/s;
limit_req zone=vm_zone burst=20 nodelay;
Memory Limits
linuxSet strict memory limits on VictoriaMetrics container/process.
# For Docker
docker run --memory=2g victoriametrics/victoria-metrics
# For systemd
MemoryMax=2G in service file
🧯 If You Can't Patch
- Implement network-level filtering to block malformed requests at load balancer or firewall.
- Deploy VictoriaMetrics behind a WAF with DoS protection rules.
🔍 How to Verify
Check if Vulnerable:
Check VictoriaMetrics version against affected ranges: 1.0.0-1.110.22, 1.111.0-1.122.7, or 1.123.0-1.129.0.Check Version:
curl -s http://localhost:8428/metrics | grep -i victoriametrics_versionVerify Fix Applied:
Confirm version is 1.110.23+, 1.122.8+, or 1.129.1+ and monitor for memory spikes from snappy requests.📡 Detection & Monitoring
Log Indicators:
- Out of memory errors in logs
- Unexpected process termination
- High memory usage spikes
Network Indicators:
- Unusually large or malformed requests to VictoriaMetrics endpoints
- Multiple rapid requests with snappy encoding
SIEM Query:
source="victoriametrics.log" AND ("OOM" OR "out of memory" OR "panic")🔗 References
- https://github.com/VictoriaMetrics/VictoriaMetrics/commit/51b44afd34d2c9a392d4ebedeeb5b4a7f5beca24
- https://github.com/VictoriaMetrics/VictoriaMetrics/releases/tag/v1.110.23
- https://github.com/VictoriaMetrics/VictoriaMetrics/releases/tag/v1.122.8
- https://github.com/VictoriaMetrics/VictoriaMetrics/releases/tag/v1.129.1
- https://github.com/VictoriaMetrics/VictoriaMetrics/security/advisories/GHSA-66jq-2c23-2xh5
