CVE-2025-2240: SmallRye Fault Tolerance out-of-memory (OOM) issue
(updated )
A flaw was found in Smallrye, where smallrye-fault-tolerance is vulnerable to an out-of-memory (OOM) issue. This vulnerability is externally triggered when calling the metrics URI. Every call creates a new object within meterMap and may lead to a denial of service (DoS) issue.
References
- access.redhat.com/errata/RHSA-2025:3376
- access.redhat.com/errata/RHSA-2025:3541
- access.redhat.com/security/cve/CVE-2025-2240
- bugzilla.redhat.com/show_bug.cgi?id=2351452
- github.com/advisories/GHSA-gfh6-3pqw-x2j4
- github.com/smallrye/smallrye-fault-tolerance
- github.com/smallrye/smallrye-fault-tolerance/commit/e8bcad3d5e8bbac0a3219bd5c13661adf6ed6bbb
- github.com/smallrye/smallrye-fault-tolerance/pull/985
- github.com/smallrye/smallrye-fault-tolerance/pull/985/files
- nvd.nist.gov/vuln/detail/CVE-2025-2240
- smallrye.io/blog/fault-tolerance-6-9-0
Code Behaviors & Features
Detect and mitigate CVE-2025-2240 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →