trilogy is vulnerable to Denial of Service (DoS)
30
Low Risk
The trilogy Ruby C extension acquires a pooled read buffer for each query and only returns it to the buffer pool on the normal success path in execute_read_query_response. When an unexpected exception interrupts a query, such as Timeout.timeout firing while waiting on the socket, the extension shuts the connection down and re-raises without checking the buffer back in, so the buffer is never returned to the pool. Each interrupted query leaks its read buffer, and sustained timeouts let process memory grow until the host is exhausted. The fix releases the buffer before shutting down the socket in the exception paths so memory is reclaimed.
You are affected if you are using a version that falls within the vulnerable range and your application wraps queries in a Ruby-level timeout such as Timeout.timeout or Rack::Timeout that can interrupt an in-flight query.
trilogy is vulnerable to Denial of Service (DoS) in versions 2.10.0 - 2.12.5.
Upgrade the trilogy library to the patch version.
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.

SOC 2Compliant
ISO 27001Compliant