Cybersecurity Vulnerabilities

CVE-2025-55181: Critical Memory Exhaustion in Proxygen HTTP/3 Library

December 3, 2025 - By 

Overview

CVE-2025-55181 is a medium severity vulnerability affecting Facebook’s Proxygen HTTP/3 library. This vulnerability allows a malicious actor to cause a denial-of-service (DoS) by triggering an infinite loop, leading to unbounded memory growth and eventual process termination due to out-of-memory conditions.

Technical Details

The vulnerability resides within the proxygen::coro::HTTPQuicCoroSession component. Specifically, sending an HTTP request or response body exceeding 2^31 bytes triggers an infinite loop. During this loop, the backing event loop is blocked, preventing other tasks from being processed. Crucially, with each iteration of the loop, data is unconditionally appended to a std::vector. This constant appending without proper size checks or limits results in unbounded memory consumption.

The root cause stems from improper handling of large data transfers within the HTTP/3 protocol implementation in Proxygen. When a message larger than the expected maximum size is received, the code enters a fault state that isn’t correctly handled, leading to the described infinite loop and memory exhaustion.

CVSS Analysis

The Common Vulnerability Scoring System (CVSS) score for CVE-2025-55181 is 5.3 (Medium).

  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality Impact (C): None (N)
  • Integrity Impact (I): None (N)
  • Availability Impact (A): High (H)

The CVSS score reflects the relatively easy exploitability of the vulnerability over the network without any authentication or user interaction. The primary impact is a denial of service due to the application becoming unavailable.

Possible Impact

Successful exploitation of CVE-2025-55181 can lead to a denial-of-service condition. An attacker could send crafted HTTP/3 requests or responses exceeding 2^31 bytes to a server using the vulnerable Proxygen library, causing the server process to exhaust its memory and crash. This can disrupt services and potentially lead to data loss if the affected process is critical.

The vulnerability is especially concerning for applications handling high volumes of HTTP/3 traffic, as a single, oversized request could trigger the memory exhaustion issue.

Mitigation and Patch Steps

The vulnerability has been addressed in a patch. It is highly recommended to upgrade to a version of Proxygen that includes the fix. The fix can be found in the following commit:

  • Upgrade Proxygen to a version containing the fix from the identified commit. This is the primary and recommended mitigation step.
  • If upgrading is not immediately feasible, consider implementing rate limiting or request size limits to mitigate the risk of malicious actors sending oversized requests. However, this is a workaround and not a complete solution.

References

Proxygen Commit: 17689399ef99b7c3d3a8b2b768b1dba1a4b72f8f
Facebook Security Advisory: CVE-2025-55181

Cybersecurity specialist and founder of Gowri Shankar Infosec - a professional blog dedicated to sharing actionable insights on cybersecurity, data protection, server administration, and compliance frameworks including SOC 2, PCI DSS, and GDPR.

Related Posts

CVE-2025-61932 Critical Remote Code Execution Vulnerability in LANSCOPE Endpoint Manager

CVE-2025-61932: Critical Remote Code Execution Vulnerability in LANSCOPE Endpoint Manager

October 23, 2025

Leave a Reply

Your email address will not be published. Required fields are marked *