Login Sign Up

CVE-2025-66909

7.5 HIGH
Denial of Service

📋 TL;DR

This vulnerability allows unauthenticated attackers to cause denial of service by uploading specially crafted image files that trigger memory exhaustion when decompressed. The Turms AI-Serving module's image processing component fails to validate image dimensions before loading, enabling decompression bomb attacks. Any system running vulnerable versions with the OCR service exposed is affected.

💻 Affected Systems

Products:
  • Turms AI-Serving module
Versions: v0.10.0-SNAPSHOT and earlier
Operating Systems: All platforms running Java
Default Config Vulnerable: ⚠️ Yes
Notes: Vulnerability exists when image processing features are enabled and accessible.

📦 What is this software?

Turms by Turms Im

View all CVEs affecting Turms →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete service unavailability through memory exhaustion crashes, potentially affecting all connected services in the same environment.

🟠

Likely Case

Service crashes and restarts causing intermittent availability issues, degraded performance for legitimate users.

🟢

If Mitigated

Minimal impact with proper input validation and resource limits in place.

🌐 Internet-Facing: HIGH - No authentication required and publicly accessible services can be directly targeted.
🏢 Internal Only: MEDIUM - Internal attackers or compromised systems could still exploit, but attack surface is reduced.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Simple file upload attack with readily available decompression bomb creation tools.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Not yet released

Vendor Advisory: https://github.com/turms-im/turms

Restart Required: Yes

Instructions:

1. Monitor Turms GitHub repository for security updates. 2. Apply patch when available. 3. Restart affected services.

🔧 Temporary Workarounds

Implement image validation middleware

all

Add pre-processing layer to validate image dimensions and file size before passing to vulnerable component.

Configure JVM memory limits

all

Set strict memory limits to contain damage from memory exhaustion attacks.

java -Xmx512m -Xms256m ...

🧯 If You Can't Patch

  • Restrict image upload functionality to authenticated users only
  • Implement rate limiting and file size restrictions on upload endpoints

🔍 How to Verify

Check if Vulnerable:

Check if running Turms AI-Serving v0.10.0-SNAPSHOT or earlier with image processing enabled.

Check Version:

Check application version in configuration or via API endpoints if available.

Verify Fix Applied:

Test with known decompression bomb images after applying fixes to ensure proper validation occurs.

📡 Detection & Monitoring

Log Indicators:

  • OutOfMemoryError exceptions
  • Repeated service crashes
  • Unusually large memory allocation patterns

Network Indicators:

  • Multiple image upload requests from single source
  • Small compressed files followed by memory spikes

SIEM Query:

source="application.logs" AND ("OutOfMemoryError" OR "java.lang.OutOfMemoryError") AND process="turms-ai-serving"

📊 Metadata

CVE ID: CVE-2025-66909
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-409
EPSS Score: 0.33% exploit probability (55.1th percentile)
Published: December 19, 2025
Last Updated: January 2, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-66909, you might also want to check these:

CVE-2025-62708 7.5

CVE-2025-62708 is a memory exhaustion vulnerability in pypdf, a popular Python PDF library. Attacker...

Same vulnerability type (CWE-409)
CVE-2024-28101 7.5

The Apollo Router versions 0.9.5 through 1.40.1 have a DoS vulnerability where highly compressed HTT...

Same vulnerability type (CWE-409)
CVE-2025-69223 7.5

AIOHTTP versions 3.13.2 and below are vulnerable to a zip bomb denial-of-service attack. An attacker...

Same vulnerability type (CWE-409)