CVE-2025-2240

EPSS 0.62%
Published 12.03.2025 14:55:15
Last modified 21.05.2025 20:15:31
Source secalert@redhat.com
Teams watchlist Login
Open Login

A flaw was found in Smallrye, where smallrye-fault-tolerance is vulnerable to an out-of-memory (OOM) issue. This vulnerability is externally triggered when calling the metrics URI. Every call creates a new object within meterMap and may lead to a denial of service (DoS) issue.

Affected products Warnungen 0 Metrics 2 CWE 1 References 9

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

This information is available to logged-in users.

Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).

Collection URLhttps://github.com/smallrye/smallrye-fault-tolerance

≫

Package smallrye-fault-tolerance-core

Default Statusunaffected

Version < 6.4.2

Version 6.3.0

Status affected

Version < 6.9.0

Version 6.5.0

Status affected

VendorRed Hat

≫

Product Red Hat build of Apache Camel 4.8.5 for Spring Boot

Default Statusunaffected

VendorRed Hat

≫

Product Red Hat Build of Apache Camel 4.8 for Quarkus 3.15

Default Statusunaffected

VendorRed Hat

≫

Product Red Hat Build of Apache Camel 4.8 for Quarkus 3.15

Default Statusunaffected

VendorRed Hat

≫

Product Red Hat build of Quarkus 3.15.4

Default Statusunaffected

VendorRed Hat

≫

Product Red Hat build of Apicurio Registry 2

Default Statusaffected

VendorRed Hat

≫

Product Red Hat build of Apicurio Registry 3

Default Statusaffected

VendorRed Hat

≫

Product Red Hat build of Quarkus

Default Statusunaffected

VendorRed Hat

≫

Product Red Hat Fuse 7

Default Statusunknown

VendorRed Hat

≫

Product Red Hat Integration Camel K 1

Default Statusaffected

VendorRed Hat

≫

Product Red Hat JBoss Enterprise Application Platform 7

Default Statusunaffected

VendorRed Hat

≫

Product Red Hat JBoss Enterprise Application Platform 8

Default Statusunaffected

VendorRed Hat

≫

Product Red Hat JBoss Enterprise Application Platform Expansion Pack

Default Statusunaffected

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.62%	0.691

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
secalert@redhat.com	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-1325 Improperly Controlled Sequential Memory Allocation

The product manages a group of objects or resources and performs a separate memory allocation for each object, but it does not properly limit the total amount of memory that is consumed by all of the combined objects.

https://access.redhat.com/security/cve/CVE-2025-2240

https://bugzilla.redhat.com/show_bug.cgi?id=2351452

https://github.com/advisories/GHSA-gfh6-3pqw-x2j4

https://access.redhat.com/errata/RHSA-2025:3376

https://access.redhat.com/errata/RHSA-2025:3541

https://access.redhat.com/errata/RHSA-2025:3543

https://nvd.nist.gov/vuln/detail/CVE-2025-2240

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-2240

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-2240

EUVD