Allocation of Resources Without Limits or Throttling in github.com/victoriametrics/victoriametrics/lib/encoding/snappy | CVE-2025-65942

Q: How to fix?

Upgrade github.com/VictoriaMetrics/VictoriaMetrics/lib/encoding/snappy to version 1.110.23, 1.122.8, 1.129.1 or higher.

Introduced: 25 Nov 2025

NewCVE-2025-65942 (opens in a new tab) CWE-770 (opens in a new tab)

How to fix?

Upgrade github.com/VictoriaMetrics/VictoriaMetrics/lib/encoding/snappy to version 1.110.23, 1.122.8, 1.129.1 or higher.

Overview

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling in the snappy:Decoder function. An attacker can cause excessive memory consumption and potential out-of-memory errors by sending malformed blocks that bypass request size limits. This is only exploitable if the deployment does not properly secure its APIs, such as lacking access control flags or firewall protections.

References

CVSS Base Scores

version 4.0

version 3.1

Attack Vector (AV)
Network
Attack Complexity (AC)
Low
Attack Requirements (AT)
None
Privileges Required (PR)
High
User Interaction (UI)
None

Confidentiality (VC)
None
Integrity (VI)
None
Availability (VA)
Low

Confidentiality (SC)
None
Integrity (SI)
None
Availability (SA)
None

Allocation of Resources Without Limits or Throttling Affecting github.com/victoriametrics/victoriametrics/lib/encoding/snappy package, versions <1.110.23>=1.111.0-cluster <1.122.8>=1.123.0-cluster <1.129.1

Severity

Do your applications use this vulnerable package?

Snyk Learn

Introduced: 25 Nov 2025

How to fix?

Overview

References

CVSS Base Scores

Snyk