CVE-2025-69255
📋 TL;DR
A malformed gRPC GetMetrics request can cause RustFS to panic and crash the handler thread, enabling remote denial of service attacks against the metrics endpoint. This affects RustFS versions 1.0.0-alpha.13 through 1.0.0-alpha.77. Organizations using vulnerable RustFS deployments are at risk of service disruption.
💻 Affected Systems
- RustFS
📦 What is this software?
Rustfs by Rustfs
Rustfs by Rustfs
Rustfs by Rustfs
Rustfs by Rustfs
Rustfs by Rustfs
Rustfs by Rustfs
Rustfs by Rustfs
Rustfs by Rustfs
Rustfs by Rustfs
Rustfs by Rustfs
Rustfs by Rustfs
Rustfs by Rustfs
Rustfs by Rustfs
Rustfs by Rustfs
Rustfs by Rustfs
Rustfs by Rustfs
Rustfs by Rustfs
Rustfs by Rustfs
Rustfs by Rustfs
Rustfs by Rustfs
Rustfs by Rustfs
Rustfs by Rustfs
Rustfs by Rustfs
Rustfs by Rustfs
Rustfs by Rustfs
Rustfs by Rustfs
Rustfs by Rustfs
Rustfs by Rustfs
Rustfs by Rustfs
Rustfs by Rustfs
Rustfs by Rustfs
Rustfs by Rustfs
Rustfs by Rustfs
Rustfs by Rustfs
Rustfs by Rustfs
Rustfs by Rustfs
Rustfs by Rustfs
Rustfs by Rustfs
Rustfs by Rustfs
Rustfs by Rustfs
Rustfs by Rustfs
Rustfs by Rustfs
Rustfs by Rustfs
Rustfs by Rustfs
Rustfs by Rustfs
Rustfs by Rustfs
Rustfs by Rustfs
Rustfs by Rustfs
Rustfs by Rustfs
Rustfs by Rustfs
Rustfs by Rustfs
Rustfs by Rustfs
Rustfs by Rustfs
Rustfs by Rustfs
Rustfs by Rustfs
Rustfs by Rustfs
Rustfs by Rustfs
Rustfs by Rustfs
Rustfs by Rustfs
Rustfs by Rustfs
Rustfs by Rustfs
Rustfs by Rustfs
Rustfs by Rustfs
Rustfs by Rustfs
Rustfs by Rustfs
Rustfs by Rustfs
⚠️ Risk & Real-World Impact
Worst Case
Attackers could repeatedly crash the metrics endpoint handler threads, causing complete unavailability of metrics functionality and potentially cascading failures if metrics are critical for monitoring or automation.
Likely Case
Intermittent denial of service affecting the metrics endpoint, disrupting monitoring capabilities but not core storage functionality.
If Mitigated
Limited impact with proper network segmentation and access controls restricting access to the metrics endpoint.
🎯 Exploit Status
Exploitation requires sending a malformed gRPC request to the metrics endpoint, which is trivial for attackers with network access.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.0.0-alpha.78
Vendor Advisory: https://github.com/rustfs/rustfs/security/advisories/GHSA-gw2x-q739-qhcr
Restart Required: Yes
Instructions:
1. Stop RustFS service. 2. Update to version 1.0.0-alpha.78 or later using your package manager or by downloading from GitHub. 3. Restart RustFS service.
🔧 Temporary Workarounds
Network Access Restriction
linuxRestrict network access to the RustFS metrics endpoint using firewall rules.
iptables -A INPUT -p tcp --dport <metrics_port> -j DROP
Disable Metrics Endpoint
allTemporarily disable the gRPC metrics endpoint in RustFS configuration.
Edit RustFS config to set metrics.enabled = false
🧯 If You Can't Patch
- Implement strict network segmentation to isolate RustFS metrics endpoints from untrusted networks.
- Deploy rate limiting or WAF rules to block malformed gRPC requests targeting the metrics endpoint.
🔍 How to Verify
Check if Vulnerable:
Check RustFS version with 'rustfs --version' or examine package version. If version is between 1.0.0-alpha.13 and 1.0.0-alpha.77 inclusive, system is vulnerable.Check Version:
rustfs --versionVerify Fix Applied:
After patching, verify version is 1.0.0-alpha.78 or later. Test metrics endpoint functionality with valid requests.📡 Detection & Monitoring
Log Indicators:
- RustFS panic logs mentioning 'unwrap()' or 'deserialization' in metrics handler
- Sudden termination of metrics endpoint threads
Network Indicators:
- Unusual gRPC traffic patterns to metrics endpoint
- Malformed gRPC requests with invalid metric_type/opts fields
SIEM Query:
source="rustfs" AND ("panic" OR "unwrap" OR "deserialization") AND "metrics"