CVE-2025-2240 - Vulnerability Details

A flaw was found in Smallrye, where smallrye-fault-tolerance is vulnerable to an out-of-memory (OOM) issue. This vulnerability is externally triggered when calling the metrics URI. Every call creates a new object within meterMap and may lead to a denial of service (DoS) issue.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Redhat	Apache Camel Spring Boot Apicurio Registry Camel Quarkus Camel Spring Boot Integration Jboss Enterprise Application Platform Jboss Fuse Jbosseapxp Quarkus Service Registry

No data.

Package	CPE	Advisory	Released Date
Red Hat build of Apache Camel 4.8.5 for Spring Boot
io.smallrye/smallrye-fault-tolerance-core	cpe:/a:redhat:apache_camel_spring_boot:4.8.5	RHSA-2025:3543	2025-04-02T00:00:00Z
Red Hat Build of Apache Camel 4.8 for Quarkus 3.15
com.redhat.quarkus.platform/quarkus-camel-bom	cpe:/a:redhat:camel_quarkus:3	RHSA-2025:3541	2025-04-02T00:00:00Z
com.redhat.quarkus.platform/quarkus-cxf-bom	cpe:/a:redhat:camel_quarkus:3	RHSA-2025:3541	2025-04-02T00:00:00Z
Red Hat build of Quarkus 3.15.4
io.smallrye/smallrye-fault-tolerance-core	cpe:/a:redhat:quarkus:3.15::el8	RHSA-2025:3376	2025-04-02T00:00:00Z

References

Link	Providers
https://access.redhat.com/errata/RHSA-2025:3376
https://access.redhat.com/errata/RHSA-2025:3541
https://access.redhat.com/security/cve/CVE-2025-2240
https://bugzilla.redhat.com/show_bug.cgi?id=2351452
https://github.com/advisories/GHSA-gfh6-3pqw-x2j4
https://nvd.nist.gov/vuln/detail/CVE-2025-2240
https://www.cve.org/CVERecord?id=CVE-2025-2240

History

Thu, 03 Apr 2025 03:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Redhat apache Camel Spring Boot
CPEs		cpe:/a:redhat:apache_camel_spring_boot:4.8.5
Vendors & Products		Redhat apache Camel Spring Boot

Wed, 02 Apr 2025 17:00:00 +0000

Type	Values Removed	Values Added
References		https://access.redhat.com/errata/RHSA-2025:3541

Wed, 02 Apr 2025 13:30:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:/a:redhat:quarkus:3.15::el8
References		https://access.redhat.com/errata/RHSA-2025:3376

Tue, 01 Apr 2025 09:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Redhat apicurio Registry
CPEs		cpe:/a:redhat:apicurio_registry:3
Vendors & Products		Redhat apicurio Registry

Thu, 13 Mar 2025 20:15:00 +0000

Type	Values Removed	Values Added
References		https://github.com/advisories/GHSA-gfh6-3pqw-x2j4

Wed, 12 Mar 2025 15:00:00 +0000

Type	Values Removed	Values Added
Description	No description is available for this CVE.	A flaw was found in Smallrye, where smallrye-fault-tolerance is vulnerable to an out-of-memory (OOM) issue. This vulnerability is externally triggered when calling the metrics URI. Every call creates a new object within meterMap and may lead to a denial of service (DoS) issue.
Title	smallrye-fault-tolerance: SmallRye Fault Tolerance	Smallrye-fault-tolerance: smallrye fault tolerance
First Time appeared		Redhat Redhat camel Quarkus Redhat camel Spring Boot Redhat integration Redhat jboss Enterprise Application Platform Redhat jboss Fuse Redhat jbosseapxp Redhat quarkus Redhat service Registry
CPEs		cpe:/a:redhat:camel_quarkus:3 cpe:/a:redhat:camel_spring_boot:4 cpe:/a:redhat:integration:1 cpe:/a:redhat:jboss_enterprise_application_platform:7 cpe:/a:redhat:jboss_enterprise_application_platform:8 cpe:/a:redhat:jboss_fuse:7 cpe:/a:redhat:jbosseapxp cpe:/a:redhat:quarkus:3 cpe:/a:redhat:service_registry:2
Vendors & Products		Redhat Redhat camel Quarkus Redhat camel Spring Boot Redhat integration Redhat jboss Enterprise Application Platform Redhat jboss Fuse Redhat jbosseapxp Redhat quarkus Redhat service Registry
References		https://access.redhat.com/security/cve/CVE-2025-2240 https://bugzilla.redhat.com/show_bug.cgi?id=2351452

Wed, 12 Mar 2025 13:45:00 +0000

Type	Values Removed	Values Added
Description		No description is available for this CVE.
Title		smallrye-fault-tolerance: SmallRye Fault Tolerance
Weaknesses		CWE-1325
References		https://nvd.nist.gov/vuln/detail/CVE-2025-2240 https://www.cve.org/CVERecord?id=CVE-2025-2240
Metrics	threat_severity `None`	cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}` threat_severity `Important`

MITRE

Status: PUBLISHED

Assigner: redhat

Published: 2025-03-12T14:55:15.889Z

Updated: 2025-04-02T16:50:15.786Z

Reserved: 2025-03-12T02:36:02.101Z

Link: CVE-2025-2240

Vulnrichment

No data.

NVD

Status : Awaiting Analysis

Published: 2025-03-12T15:15:42.273

Modified: 2025-04-02T17:15:46.023

Link: CVE-2025-2240

Redhat

Severity : Important

Publid Date: 2025-03-12T00:00:00Z

Links: CVE-2025-2240 - Bugzilla

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-2240", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "state": "PUBLISHED", "assignerShortName": "redhat", "dateReserved": "2025-03-12T02:36:02.101Z", "datePublished": "2025-03-12T14:55:15.889Z", "dateUpdated": "2025-04-02T16:50:15.786Z"}, "containers": {"cna": {"title": "Smallrye-fault-tolerance: smallrye fault tolerance", "metrics": [{"other": {"content": {"value": "Important", "namespace": "https://access.redhat.com/security/updates/classification/"}, "type": "Red Hat severity rating"}}, {"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "format": "CVSS"}], "descriptions": [{"lang": "en", "value": "A flaw was found in Smallrye, where smallrye-fault-tolerance is vulnerable to an out-of-memory (OOM) issue. This vulnerability is externally triggered when calling the metrics URI. Every call creates a new object within meterMap and may lead to a denial of service (DoS) issue."}], "affected": [{"vendor": "Red Hat", "product": "Red Hat Build of Apache Camel 4.8 for Quarkus 3.15", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "unaffected", "packageName": "com.redhat.quarkus.platform/quarkus-camel-bom", "cpes": ["cpe:/a:redhat:camel_quarkus:3"]}, {"vendor": "Red Hat", "product": "Red Hat Build of Apache Camel 4.8 for Quarkus 3.15", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "unaffected", "packageName": "com.redhat.quarkus.platform/quarkus-cxf-bom", "cpes": ["cpe:/a:redhat:camel_quarkus:3"]}, {"vendor": "Red Hat", "product": "Red Hat build of Quarkus 3.15.4", "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html", "defaultStatus": "unaffected", "packageName": "io.smallrye/smallrye-fault-tolerance-core", "cpes": ["cpe:/a:redhat:quarkus:3.15::el8"]}, {"vendor": "Red Hat", "product": "Red Hat build of Apache Camel for Spring Boot 4", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "io.smallrye/smallrye-fault-tolerance-core", "defaultStatus": "affected", "cpes": ["cpe:/a:redhat:camel_spring_boot:4"]}, {"vendor": "Red Hat", "product": "Red Hat build of Apicurio Registry 2", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "io.smallrye/smallrye-fault-tolerance-core", "defaultStatus": "affected", "cpes": ["cpe:/a:redhat:service_registry:2"]}, {"vendor": "Red Hat", "product": "Red Hat build of Apicurio Registry 3", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "io.smallrye/smallrye-fault-tolerance-core", "defaultStatus": "affected", "cpes": ["cpe:/a:redhat:apicurio_registry:3"]}, {"vendor": "Red Hat", "product": "Red Hat build of Quarkus", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "io.smallrye/smallrye-fault-tolerance-apiimpl", "defaultStatus": "unaffected", "cpes": ["cpe:/a:redhat:quarkus:3"]}, {"vendor": "Red Hat", "product": "Red Hat Fuse 7", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "io.smallrye/smallrye-fault-tolerance-core", "defaultStatus": "unknown", "cpes": ["cpe:/a:redhat:jboss_fuse:7"]}, {"vendor": "Red Hat", "product": "Red Hat Integration Camel K 1", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "io.smallrye/smallrye-fault-tolerance-core", "defaultStatus": "affected", "cpes": ["cpe:/a:redhat:integration:1"]}, {"vendor": "Red Hat", "product": "Red Hat JBoss Enterprise Application Platform 7", "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html", "packageName": "io.smallrye/smallrye-fault-tolerance-core", "defaultStatus": "unaffected", "cpes": ["cpe:/a:redhat:jboss_enterprise_application_platform:7"]}, {"vendor": "Red Hat", "product": "Red Hat JBoss Enterprise Application Platform 8", "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html", "packageName": "io.smallrye/smallrye-fault-tolerance-core", "defaultStatus": "unaffected", "cpes": ["cpe:/a:redhat:jboss_enterprise_application_platform:8"]}, {"vendor": "Red Hat", "product": "Red Hat JBoss Enterprise Application Platform Expansion Pack", "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html", "packageName": "io.smallrye/smallrye-fault-tolerance-core", "defaultStatus": "unaffected", "cpes": ["cpe:/a:redhat:jbosseapxp"]}], "references": [{"url": "https://access.redhat.com/errata/RHSA-2025:3376", "name": "RHSA-2025:3376", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2025:3541", "name": "RHSA-2025:3541", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/security/cve/CVE-2025-2240", "tags": ["vdb-entry", "x_refsource_REDHAT"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2351452", "name": "RHBZ#2351452", "tags": ["issue-tracking", "x_refsource_REDHAT"]}, {"url": "https://github.com/advisories/GHSA-gfh6-3pqw-x2j4"}], "datePublic": "2025-03-12T00:00:00.000Z", "problemTypes": [{"descriptions": [{"cweId": "CWE-1325", "description": "Improperly Controlled Sequential Memory Allocation", "lang": "en", "type": "CWE"}]}], "x_redhatCweChain": "CWE-1325: Improperly Controlled Sequential Memory Allocation", "workarounds": [{"lang": "en", "value": "Red Hat has investigated whether a possible mitigation exists for this issue, and has not been able to identify a practical example. Please update the affected package as soon as possible."}], "timeline": [{"lang": "en", "time": "2025-03-12T02:23:44.660000+00:00", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2025-03-12T00:00:00+00:00", "value": "Made public."}], "providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2025-04-02T16:50:15.786Z"}}}}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A flaw was found in Smallrye, where smallrye-fault-tolerance is vulnerable to an out-of-memory (OOM) issue. This vulnerability is externally triggered when calling the metrics URI. Every call creates a new object within meterMap and may lead to a denial of service (DoS) issue."}, {"lang": "es", "value": "Se encontr\u00f3 una falla en Smallrye, donde smallrye-fault-tolerance es vulnerable a un problema de falta de memoria (OOM). Esta vulnerabilidad se activa externamente al llamar a la URI de m\u00e9tricas. Cada llamada crea un nuevo objeto dentro de meterMap y puede provocar una denegaci\u00f3n de servicio (DoS)."}], "id": "CVE-2025-2240", "lastModified": "2025-04-02T17:15:46.023", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "secalert@redhat.com", "type": "Secondary"}]}, "published": "2025-03-12T15:15:42.273", "references": [{"source": "secalert@redhat.com", "url": "https://access.redhat.com/errata/RHSA-2025:3376"}, {"source": "secalert@redhat.com", "url": "https://access.redhat.com/errata/RHSA-2025:3541"}, {"source": "secalert@redhat.com", "url": "https://access.redhat.com/security/cve/CVE-2025-2240"}, {"source": "secalert@redhat.com", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2351452"}, {"source": "secalert@redhat.com", "url": "https://github.com/advisories/GHSA-gfh6-3pqw-x2j4"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-1325"}], "source": "secalert@redhat.com", "type": "Secondary"}]}

{"affected_release": [{"advisory": "RHSA-2025:3543", "cpe": "cpe:/a:redhat:apache_camel_spring_boot:4.8.5", "package": "io.smallrye/smallrye-fault-tolerance-core", "product_name": "Red Hat build of Apache Camel 4.8.5 for Spring Boot", "release_date": "2025-04-02T00:00:00Z"}, {"advisory": "RHSA-2025:3541", "cpe": "cpe:/a:redhat:camel_quarkus:3", "package": "com.redhat.quarkus.platform/quarkus-camel-bom", "product_name": "Red Hat Build of Apache Camel 4.8 for Quarkus 3.15", "release_date": "2025-04-02T00:00:00Z"}, {"advisory": "RHSA-2025:3541", "cpe": "cpe:/a:redhat:camel_quarkus:3", "package": "com.redhat.quarkus.platform/quarkus-cxf-bom", "product_name": "Red Hat Build of Apache Camel 4.8 for Quarkus 3.15", "release_date": "2025-04-02T00:00:00Z"}, {"advisory": "RHSA-2025:3376", "cpe": "cpe:/a:redhat:quarkus:3.15::el8", "package": "io.smallrye/smallrye-fault-tolerance-core", "product_name": "Red Hat build of Quarkus 3.15.4", "release_date": "2025-04-02T00:00:00Z"}], "bugzilla": {"description": "smallrye-fault-tolerance: SmallRye Fault Tolerance", "id": "2351452", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2351452"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "verified"}, "cwe": "CWE-1325", "details": ["A flaw was found in Smallrye, where smallrye-fault-tolerance is vulnerable to an out-of-memory (OOM) issue. This vulnerability is externally triggered when calling the metrics URI. Every call creates a new object within meterMap and may lead to a denial of service (DoS) issue.", "A flaw was found in Smallrye, where smallrye-fault-tolerance is vulnerable to an out-of-memory (OOM) issue. This vulnerability is externally triggered when calling the metrics URI. Every call creates a new object within meterMap and may lead to a denial of service (DoS) issue."], "mitigation": {"lang": "en:us", "value": "Red Hat has investigated whether a possible mitigation exists for this issue, and has not been able to identify a practical example. Please update the affected package as soon as possible."}, "name": "CVE-2025-2240", "package_state": [{"cpe": "cpe:/a:redhat:service_registry:2", "fix_state": "Affected", "package_name": "io.smallrye/smallrye-fault-tolerance-core", "product_name": "Red Hat build of Apicurio Registry 2"}, {"cpe": "cpe:/a:redhat:apicurio_registry:3", "fix_state": "Affected", "package_name": "io.smallrye/smallrye-fault-tolerance-core", "product_name": "Red Hat build of Apicurio Registry 3"}, {"cpe": "cpe:/a:redhat:quarkus:3", "fix_state": "Not affected", "package_name": "io.smallrye/smallrye-fault-tolerance-apiimpl", "product_name": "Red Hat build of Quarkus"}, {"cpe": "cpe:/a:redhat:jboss_fuse:7", "fix_state": "Out of support scope", "package_name": "io.smallrye/smallrye-fault-tolerance-core", "product_name": "Red Hat Fuse 7"}, {"cpe": "cpe:/a:redhat:integration:1", "fix_state": "Will not fix", "package_name": "io.smallrye/smallrye-fault-tolerance-core", "product_name": "Red Hat Integration Camel K 1"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7", "fix_state": "Not affected", "package_name": "io.smallrye/smallrye-fault-tolerance-core", "product_name": "Red Hat JBoss Enterprise Application Platform 7"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8", "fix_state": "Not affected", "package_name": "io.smallrye/smallrye-fault-tolerance-core", "product_name": "Red Hat JBoss Enterprise Application Platform 8"}, {"cpe": "cpe:/a:redhat:jbosseapxp", "fix_state": "Not affected", "package_name": "io.smallrye/smallrye-fault-tolerance-core", "product_name": "Red Hat JBoss Enterprise Application Platform Expansion Pack"}], "public_date": "2025-03-12T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-2240\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-2240\nhttps://github.com/advisories/GHSA-gfh6-3pqw-x2j4"], "statement": "This vulnerability allows a remote attacker to cause an out-of-memory issue when calling the metrics URI, resulting in a denial of service. As this flaw can be triggered via the network, it has been rated with an important severity.", "threat_severity": "Important"}

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object