Allocation of Resources Without Limits or Throttling in kdcproxy | CVE-2025-59089

Q: How to fix?

A fix was pushed into the master branch but not yet published.

Introduced: 12 Nov 2025

NewCVE-2025-59089 (opens in a new tab) CWE-770 (opens in a new tab)

How to fix?

A fix was pushed into the master branch but not yet published.

Overview

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via Application.__handle_recv(). An attacker can exhaust server memory or CPU resources by causing the system to process unbounded TCP response data from an attacker-controlled upstream server. This is achieved by sending excessively large or continuous response chunks, leading to excessive memory allocation and CPU usage until the connection times out. Multiple concurrent requests can also overflow the accept queue, preventing legitimate clients from connecting.

References

CVSS Base Scores

version 4.0

version 3.1

Attack Vector (AV)
Network
Attack Complexity (AC)
High
Attack Requirements (AT)
None
Privileges Required (PR)
None
User Interaction (UI)
None

Confidentiality (VC)
None
Integrity (VI)
None
Availability (VA)
High

Confidentiality (SC)
None
Integrity (SI)
None
Availability (SA)
None

Allocation of Resources Without Limits or Throttling Affecting kdcproxy package, versions [0,]

Severity

Do your applications use this vulnerable package?

Snyk Learn

Introduced: 12 Nov 2025

How to fix?

Overview

References

CVSS Base Scores

Snyk