AIKIDO-2025-10786
github.com/victoriametrics/victoriametrics is vulnerable to Denial of Service (DoS)
31
Low Risk
This Affects:
github.com/victoriametrics/victoriametricsTL;DR
Affected versions of this package are vulnerable to denial-of-service (DoS) attacks. The snappy decoder failed to respect request size limits enforced by VictoriaMetrics components, allowing malformed snappy blocks to trigger excessive memory allocations. This could result in out-of-memory (OOM) errors and service instability. The fix enforces block size validation in ingest endpoints based on the configured MaxRequest limits.
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range.
Background info
github.com/victoriametrics/victoriametrics is vulnerable to Denial of Service (DoS) in versions 1.123.0 - 1.129.0, 1.111.0 - 1.122.7 and 1.18.3 - 1.110.22.
How to fix this
Upgrade the github.com/victoriametrics/victoriametrics library to the patch version.
Links
GitHub Releases
github.com/VictoriaMetrics/VictoriaMetrics/releases/tag/v1.129.1github.com/VictoriaMetrics/VictoriaMetrics/releases/tag/v1.110.23github.com/VictoriaMetrics/VictoriaMetrics/releases/tag/v1.122.8
Are You Affected?
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.
SOC 2Compliant
ISO 27001Compliant