Miggo Logo
Miggo Vulnerability Database
CVE-2025-43915

CVE-2025-43915: Linkerd resource exhaustion vulnerability

6.5

CVSS Score
3.1

Basic Information

CVE ID
CVE-2025-43915
GHSA ID
GHSA-42mr-jpwh-m9rv
EPSS Score
0.19069%
CWE
CWE-400
Published
5/5/2025
Updated
5/6/2025
KEV Status
No
Technology
TechnologyGo

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
github.com/linkerd/linkerd2go< 0.6.0-20250501173313-4823b7af3e1e0.6.0-20250501173313-4823b7af3e1e

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability is related to resource exhaustion in Linkerd proxy metrics. The fix involves updating the tokio-metrics dependency from version 0.4.1 to 0.4.2.

The commits in tokio-metrics between these versions primarily involve documentation changes, build process improvements (adding semver checks, badges), and minor fixes related to feature flags and documentation generation.

There are no specific code changes in the tokio-metrics diff that directly point to a resource exhaustion vulnerability or its fix. The vulnerability likely lies in how Linkerd uses tokio-metrics or in a subtle interaction that is resolved by the version bump, rather than a specific vulnerable function within tokio-metrics itself that was patched.

Without more specific information linking the resource exhaustion to particular functions in tokio-metrics or Linkerd's usage of it, it's not possible to identify vulnerable functions with high confidence based solely on the provided commit information. The fix is a dependency update, suggesting the vulnerability was in the older version of tokio-metrics or its interaction with Linkerd, but the specific vulnerable functions are not evident from the patch diffs of tokio-metrics itself, as these are mostly documentation and CI changes. The actual fix for the resource exhaustion is not explicitly shown in these commits beyond the version bump of the dependency.

Therefore, I cannot confidently identify specific vulnerable functions based on the provided information. The core issue seems to be in the older tokio-metrics version or its integration, and the fix is simply to use a newer version. The commits for tokio-metrics v0.4.2 don't reveal the exact nature of the resource exhaustion fix itself within that library's code changes for that specific version jump, as they are mostly documentation and CI updates. The actual vulnerability might have been fixed in an earlier micro-patch or a different component, and 0.4.2 is just the version Linkerd updated to, which includes that fix among others, or the fix is not obvious from the commit messages and code changes in tokio-metrics itself between 0.4.1 and 0.4.2 as presented in the diffs (which are mostly docs/CI).

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

In *uoy*nt **** r*l**s*s ***or* ****-**.*.* *n* *nt*rpris* *or Link*r* r*l**s*s *.**.* ***or* *.**.*, *.**.* ***or* *.**.*, *n* *.**.* ***or* *.**.*, r*sour** *x**ustion **n o**ur *or Link*r* proxy m*tri*s.

Reasoning

T** vuln*r**ility is r*l*t** to r*sour** *x**ustion in Link*r* proxy m*tri*s. T** *ix involv*s up**tin* t** `tokio-m*tri*s` **p*n**n*y *rom v*rsion *.*.* to *.*.*. T** *ommits in `tokio-m*tri*s` **tw**n t**s* v*rsions prim*rily involv* *o*um*nt*tio