{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2025-2240","assignerOrgId":"53f830b8-0a3f-465b-8143-3b8a9948e749","state":"PUBLISHED","assignerShortName":"redhat","dateReserved":"2025-03-12T02:36:02.101Z","datePublished":"2025-03-12T14:55:15.889Z","dateUpdated":"2026-05-06T16:47:49.252Z"},"containers":{"cna":{"title":"Smallrye-fault-tolerance: smallrye fault tolerance","metrics":[{"other":{"content":{"value":"Important","namespace":"https://access.redhat.com/security/updates/classification/"},"type":"Red Hat severity rating"}},{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":7.5,"baseSeverity":"HIGH","confidentialityImpact":"NONE","integrityImpact":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","version":"3.1"},"format":"CVSS"}],"descriptions":[{"lang":"en","value":"A flaw was found in Smallrye, where smallrye-fault-tolerance is vulnerable to an out-of-memory (OOM) issue. This vulnerability is externally triggered when calling the metrics URI. Every call creates a new object within meterMap and may lead to a denial of service (DoS) issue."}],"affected":[{"versions":[{"status":"affected","version":"6.3.0","lessThan":"6.4.2","versionType":"semver"},{"status":"affected","version":"6.5.0","lessThan":"6.9.0","versionType":"semver"}],"packageName":"smallrye-fault-tolerance-core","collectionURL":"https://github.com/smallrye/smallrye-fault-tolerance","defaultStatus":"unaffected"},{"vendor":"Red Hat","product":"Red Hat build of Apache Camel 4.8.5 for Spring Boot","collectionURL":"https://access.redhat.com/downloads/content/package-browser/","defaultStatus":"unaffected","packageName":"io.smallrye/smallrye-fault-tolerance-core","cpes":["cpe:/a:redhat:apache_camel_spring_boot:4.8.5"]},{"vendor":"Red Hat","product":"Red Hat Build of Apache Camel 4.8 for Quarkus 3.15","collectionURL":"https://access.redhat.com/downloads/content/package-browser/","defaultStatus":"unaffected","packageName":"com.redhat.quarkus.platform/quarkus-camel-bom","cpes":["cpe:/a:redhat:camel_quarkus:3.15"]},{"vendor":"Red Hat","product":"Red Hat Build of Apache Camel 4.8 for Quarkus 3.15","collectionURL":"https://access.redhat.com/downloads/content/package-browser/","defaultStatus":"unaffected","packageName":"com.redhat.quarkus.platform/quarkus-cxf-bom","cpes":["cpe:/a:redhat:camel_quarkus:3.15"]},{"vendor":"Red Hat","product":"Red Hat build of Quarkus 3.15.4","collectionURL":"https://access.redhat.com/jbossnetwork/restricted/listSoftware.html","defaultStatus":"unaffected","cpes":["cpe:/a:redhat:quarkus:3.15::el8"]},{"vendor":"Red Hat","product":"Red Hat build of Apicurio Registry 2","collectionURL":"https://access.redhat.com/downloads/content/package-browser/","packageName":"io.smallrye/smallrye-fault-tolerance-core","defaultStatus":"affected","cpes":["cpe:/a:redhat:service_registry:2"]},{"vendor":"Red Hat","product":"Red Hat build of Apicurio Registry 3","collectionURL":"https://access.redhat.com/downloads/content/package-browser/","packageName":"io.smallrye/smallrye-fault-tolerance-core","defaultStatus":"affected","cpes":["cpe:/a:redhat:apicurio_registry:3"]},{"vendor":"Red Hat","product":"Red Hat build of Quarkus","collectionURL":"https://access.redhat.com/downloads/content/package-browser/","packageName":"io.smallrye/smallrye-fault-tolerance-apiimpl","defaultStatus":"unaffected","cpes":["cpe:/a:redhat:quarkus:3"]},{"vendor":"Red Hat","product":"Red Hat build of Quarkus","collectionURL":"https://access.redhat.com/downloads/content/package-browser/","packageName":"io.smallrye/smallrye-fault-tolerance-core","defaultStatus":"unaffected","cpes":["cpe:/a:redhat:quarkus:3"]},{"vendor":"Red Hat","product":"Red Hat Fuse 7","collectionURL":"https://access.redhat.com/downloads/content/package-browser/","packageName":"io.smallrye/smallrye-fault-tolerance-core","defaultStatus":"unknown","cpes":["cpe:/a:redhat:jboss_fuse:7"]},{"vendor":"Red Hat","product":"Red Hat Integration Camel K 1","collectionURL":"https://access.redhat.com/downloads/content/package-browser/","packageName":"io.smallrye/smallrye-fault-tolerance-core","defaultStatus":"affected","cpes":["cpe:/a:redhat:integration:1"]},{"vendor":"Red Hat","product":"Red Hat JBoss Enterprise Application Platform 7","collectionURL":"https://access.redhat.com/jbossnetwork/restricted/listSoftware.html","packageName":"smallrye-fault-tolerance-core","defaultStatus":"affected","cpes":["cpe:/a:redhat:jboss_enterprise_application_platform:7"]},{"vendor":"Red Hat","product":"Red Hat JBoss Enterprise Application Platform 8","collectionURL":"https://access.redhat.com/jbossnetwork/restricted/listSoftware.html","packageName":"smallrye-fault-tolerance-core","defaultStatus":"unaffected","cpes":["cpe:/a:redhat:jboss_enterprise_application_platform:8"]},{"vendor":"Red Hat","product":"Red Hat JBoss Enterprise Application Platform Expansion Pack","collectionURL":"https://access.redhat.com/jbossnetwork/restricted/listSoftware.html","packageName":"smallrye-fault-tolerance-core","defaultStatus":"unaffected","cpes":["cpe:/a:redhat:jbosseapxp"]}],"references":[{"url":"https://access.redhat.com/errata/RHSA-2025:3376","name":"RHSA-2025:3376","tags":["vendor-advisory","x_refsource_REDHAT"]},{"url":"https://access.redhat.com/errata/RHSA-2025:3541","name":"RHSA-2025:3541","tags":["vendor-advisory","x_refsource_REDHAT"]},{"url":"https://access.redhat.com/errata/RHSA-2025:3543","name":"RHSA-2025:3543","tags":["vendor-advisory","x_refsource_REDHAT"]},{"url":"https://access.redhat.com/security/cve/CVE-2025-2240","tags":["vdb-entry","x_refsource_REDHAT"]},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2351452","name":"RHBZ#2351452","tags":["issue-tracking","x_refsource_REDHAT"]},{"url":"https://github.com/advisories/GHSA-gfh6-3pqw-x2j4"}],"datePublic":"2025-03-12T00:00:00.000Z","problemTypes":[{"descriptions":[{"cweId":"CWE-1325","description":"Improperly Controlled Sequential Memory Allocation","lang":"en","type":"CWE"}]}],"x_redhatCweChain":"CWE-1325: Improperly Controlled Sequential Memory Allocation","workarounds":[{"lang":"en","value":"Red Hat has investigated whether a possible mitigation exists for this issue, and has not been able to identify a practical example. Please update the affected package as soon as possible."}],"timeline":[{"lang":"en","time":"2025-03-12T02:23:44.660Z","value":"Reported to Red Hat."},{"lang":"en","time":"2025-03-12T00:00:00.000Z","value":"Made public."}],"providerMetadata":{"orgId":"53f830b8-0a3f-465b-8143-3b8a9948e749","shortName":"redhat","dateUpdated":"2026-05-06T16:47:49.252Z"},"x_generator":{"engine":"cvelib 1.8.0"}},"adp":[{"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2025-03-12T15:08:58.646132Z","id":"CVE-2025-2240","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2025-05-12T15:37:42.110Z"}}]}}