Cybersecurity Vulnerabilities

CVE-2025-65942: VictoriaMetrics Vulnerable to Denial-of-Service Attacks

November 26, 2025 - By 

Overview

This article discusses CVE-2025-65942, a low-severity Denial-of-Service (DoS) vulnerability affecting VictoriaMetrics, a scalable time series database. The vulnerability stems from improper handling of snappy-compressed data, potentially leading to excessive memory usage and service disruption.

Technical Details

VictoriaMetrics versions 1.0.0 through 1.110.22, 1.111.0 through 1.122.7, and 1.123.0 through 1.129.0 are susceptible to DoS attacks. The snappy decoder in these versions does not properly enforce request size limits. This allows attackers to send malformed snappy blocks, triggering excessive memory allocation. As a result, the VictoriaMetrics instance can experience Out-of-Memory (OOM) errors and become unstable or unavailable.

The fix implemented in versions 1.110.23, 1.122.8, and 1.129.1 enforces block-size checks based on the configured MaxRequest limits, preventing malicious payloads from exhausting system resources.

CVSS Analysis

  • CVE ID: CVE-2025-65942
  • Severity: LOW
  • CVSS Score: 2.7

A CVSS score of 2.7 indicates a low-severity vulnerability. While a successful exploit can cause a denial-of-service, the attack complexity is high and requires the attacker to craft and send specific, malformed snappy-compressed data.

Possible Impact

A successful exploitation of CVE-2025-65942 can lead to the following consequences:

  • Service Disruption: The VictoriaMetrics instance may become unresponsive, impacting monitoring and alerting capabilities.
  • Resource Exhaustion: Excessive memory usage can lead to OOM errors, potentially affecting other services on the same machine.
  • Data Loss: In extreme cases, an unstable system could lead to data corruption or loss, although this is less likely with this specific vulnerability.

Mitigation and Patch Steps

The recommended mitigation is to upgrade VictoriaMetrics to one of the following patched versions:

  • Version 1.110.23 or later
  • Version 1.122.8 or later
  • Version 1.129.1 or later

Follow these steps to upgrade:

  1. Download the latest version from the official VictoriaMetrics releases page.
  2. Stop the current VictoriaMetrics instance.
  3. Replace the existing binaries with the new ones.
  4. Start the VictoriaMetrics instance.

References

Cybersecurity specialist and founder of Gowri Shankar Infosec - a professional blog dedicated to sharing actionable insights on cybersecurity, data protection, server administration, and compliance frameworks including SOC 2, PCI DSS, and GDPR.

Related Posts

CVE-2025-61932 Critical Remote Code Execution Vulnerability in LANSCOPE Endpoint Manager

CVE-2025-61932: Critical Remote Code Execution Vulnerability in LANSCOPE Endpoint Manager

October 23, 2025

Leave a Reply

Your email address will not be published. Required fields are marked *