Improperly Controlled Sequential Memory Allocation

CVE-2025-2240

High

7.5/10

Summary

A flaw was found in Smallrye versions 6.3.0-RC2 through 6.4.1, and 6.5.0 through 6.8.0, where "smallrye-fault-tolerance" is vulnerable to an Out-Of-Memory (OOM) issue. This vulnerability is externally triggered when calling the metrics URI. Every call creates a new object within "meterMap" and may lead to a Denial Of Service (DoS) issue.

Attack Complexity: LOW
Attack Vector: NETWORK
Integrity Impact: NONE
Scope: UNCHANGED
User Interaction: NONE
Privileges Required: NONE
Confidentiality Impact: NONE
Availability Impact: HIGH

CWE-1325 - Improperly Controlled Sequential Memory Allocation

The product manages a group of objects or resources and performs a separate memory allocation for each object, but it does not properly limit the total amount of memory that is consumed by all of the combined objects.

References

Advisory
Release Note
Issue
6.9.x
6.4.x

Advisory Timeline

Published Mar 12, 2025

Improperly Controlled Sequential Memory Allocation

CVE-2025-2240

Summary

CWE-1325 - Improperly Controlled Sequential Memory Allocation

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS