CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

CVE-2025-2240: Smallrye-fault-tolerance: smallrye fault tolerance

Description

A flaw was found in Smallrye, where smallrye-fault-tolerance is vulnerable to an out-of-memory (OOM) issue. This vulnerability is externally triggered when calling the metrics URI. Every call creates a new object within meterMap and may lead to a denial of service (DoS) issue.

Classification

CVE ID: CVE-2025-2240

Problem Types

Improperly Controlled Sequential Memory Allocation

Affected Products

Vendor: Red Hat, Red Hat, Red Hat, Red Hat, Red Hat, Red Hat, Red Hat, Red Hat, Red Hat, Red Hat, Red Hat

Product: Red Hat build of Apache Camel 4 for Quarkus 3, Red Hat build of Apache Camel 4 for Quarkus 3, Red Hat build of Apache Camel for Spring Boot 4, Red Hat build of Apicurio Registry 2, Red Hat build of Quarkus, Red Hat build of Quarkus, Red Hat Fuse 7, Red Hat Integration Camel K 1, Red Hat JBoss Enterprise Application Platform 7, Red Hat JBoss Enterprise Application Platform 8, Red Hat JBoss Enterprise Application Platform Expansion Pack

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.07% (probability of being exploited)

EPSS Percentile: 18.99% (scored less or equal to compared to others)

EPSS Date: 2025-04-10 (when was this score calculated)

References

https://nvd.nist.gov/vuln/detail/CVE-2025-2240
https://access.redhat.com/security/cve/CVE-2025-2240
https://bugzilla.redhat.com/show_bug.cgi?id=2351452

Timeline

2025-03-12 15:40:14 UTC
CVE

Smallrye-fault-tolerance: smallrye fault tolerance
2025-03-12 21:15:25 UTC
Github Advisory Database (Maven)

[io.smallrye:smallrye-fault-tolerance-core] SmallRye Fault Tolerance out-of-memory (OOM) issue