Homepage

Allocation of Resources Without Limits or Throttling Affecting victoriametrics-operator-fips package, versions <0.65.0-r2

Severity

 Recommended
low

Based on default assessment until relevant scores are available.

Threat Intelligence

EPSS
0.04% (12th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Allocation of Resources Without Limits or Throttling vulnerabilities in an interactive lesson.

Start learning
  • Snyk IDSNYK-CHAINGUARDLATEST-VICTORIAMETRICSOPERATORFIPS-14149147
  • published29 Nov 2025
  • disclosed25 Nov 2025
Report a new vulnerability Found a mistake?

Introduced: 25 Nov 2025

NewCVE-2025-65942  (opens in a new tab)
CWE-770  (opens in a new tab)

How to fix?

Upgrade Chainguard victoriametrics-operator-fips to version 0.65.0-r2 or higher.

NVD Description

Note: Versions mentioned in the description apply only to the upstream victoriametrics-operator-fips package and not the victoriametrics-operator-fips package as distributed by Chainguard. See How to fix? for Chainguard relevant fixed versions and status.

VictoriaMetrics is a scalable solution for monitoring and managing time series data. In versions from 1.0.0 to before 1.110.23, from 1.111.0 to before 1.122.8, and from 1.123.0 to before 1.129.1, affected versions are vulnerable to DoS attacks because the snappy decoder ignored VictoriaMetrics request size limits allowing malformed blocks to trigger excessive memory use. This could lead to OOM errors and service instability. The fix enforces block-size checks based on MaxRequest limits. This issue has been patched in versions 1.110.23, 1.122.8, and 1.129.1.