This vulnerability arises from improper handling of context cancellations in the CircuitBreaker modules of KrakenD. When a context is cancelled, the program does not adequately close or release related resources, creating a leak that can exhaust system resources over time. The weakness is classified as CWE-404, an improper resource shutdown or release flaw, indicating that the application may fail to shut down resources correctly when required. The net consequence is a gradual degradation of the service, potentially leading to service interruption if the leaked resources accumulate.

KrakenD Community Edition before version 2.13.1 and KrakenD Enterprise Edition before version 2.12.5 are susceptible. These versions employ the CircuitBreaker modules where the context cancelation logic is flawed. Any deployment of these editions that still uses the legacy CircuitBreaker code is at risk.

The CVSS base score is 1.3, signifying a low severity. The EPSS score is reported as < 1 %, indicating a very low likelihood of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector is local or remote through API calls that exercise the CircuitBreaker; an attacker would need to trigger context cancellations repeatedly to exhaust resources. Because the flaw requires repeated activity and is not easily exploitable, immediate damage is limited, but unattended use can still lead to service degradation over time.