2.7

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2025-65942

GHSA ID

GHSA-66jq-2c23-2xh5

EPSS Score

CWE

CWE-770

Published

11/25/2025

Updated

11/25/2025

KEV Status

Technology

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-65942

CVE-2025-65942: VictoriaMetrics' Snappy Decoder DoS Vulnerability is Causing OOM

Impact

Affected versions are vulnerable to DoS attacks because the snappy decoder ignored VictoriaMetrics request size limits allowing malformed blocks to trigger excessive memory use. This could lead to OOM errors and service instability. The fix enforces block-size checks based on MaxRequest limits.

Patches

Versions 1.129.1, 1.122.8, 1.110.23

Resources

https://github.com/VictoriaMetrics/VictoriaMetrics/releases/tag/v1.129.1
https://github.com/VictoriaMetrics/VictoriaMetrics/releases/tag/v1.122.8
https://github.com/VictoriaMetrics/VictoriaMetrics/releases/tag/v1.110.23

Note

VictoriaMetrics' security model assumes its APIs are properly secured (e.g. via access control flags or a firewall); this advisory addresses malicious input that should not be possible under a correctly secured deployment.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2025-65942

CVE-2025-65942:

2.7

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2025-65942

GHSA ID

GHSA-66jq-2c23-2xh5

EPSS Score

CWE

CWE-770

Published

11/25/2025

Updated

11/25/2025

KEV Status

Technology

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
github.com/VictoriaMetrics/VictoriaMetrics	go	>= 1.123.0, < 1.129.1	1.129.1
github.com/VictoriaMetrics/VictoriaMetrics	go	>= 1.111.0, < 1.122.8	1.122.8

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability is a denial-of-service (DoS) weakness in VictoriaMetrics' handling of snappy-compressed data. The root cause is the use of github.com/golang/snappy.Decode without pre-validating the uncompressed data size declared in the snappy block header. A malicious actor could send a small, crafted payload that claims a very large uncompressed size, causing the application to attempt a massive memory allocation, leading to an Out-Of-Memory (OOM) crash.

The security patch, commit 51b44afd34d2c9a392d4ebedeeb5b4a7f5beca24, addresses this by introducing a custom wrapper function, lib/encoding/snappy.Decode. This new function first calls snappy.DecodedLen to check the declared uncompressed size against a provided limit before proceeding with the actual decompression. If the size exceeds the limit, it returns an error, preventing the dangerous memory allocation.

The analysis identified three key functions where this unsafe decoding occurred:

stream.Parse: Processes incoming data for the Prometheus remote write endpoint.
protoparserutil.ReadUncompressedData: A general-purpose utility for reading compressed data.
snappyReader.Reset: A method for handling snappy-encoded data streams.

These functions were all modified in the patch to replace the direct, unsafe call to snappy.Decode with the new, size-limited wrapper. During an exploit, these are the functions that would process the malicious input, and their names would likely appear in a stack trace or runtime profile just before the OOM error.

Vulnerable functions

stream.Parse

lib/protoparser/promremotewrite/stream/streamparser.go

The `Parse` function in the `stream` package processes incoming Prometheus remote write requests. It used `snappy.Decode` to decompress request bodies without checking the potential output size. A malicious request with a crafted snappy payload could declare a very large uncompressed size, causing the decoder to allocate excessive memory, leading to a denial of service. The patch replaces the direct call with a new `snappy.Decode` wrapper that enforces the `maxInsertRequestSize` limit.

protoparserutil.ReadUncompressedData

lib/protoparser/protoparserutil/compress_reader.go

This utility function reads various compressed data formats. For snappy encoding, it defined an inline `decompress` function that called `snappy.Decode` without any size validation. This function could be used by various parts of the application to process potentially malicious input. The patch applies a `maxDataSize` limit by switching to the new, safer `snappy.Decode` wrapper.

snappyReader.Reset

lib/protoparser/protoparserutil/compress_reader.go

The `Reset` method on the `snappyReader` struct is used to re-initialize a reader with new compressed data. It directly called `snappy.Decode` on the input data without validating the size of the decompressed output. This could lead to excessive memory allocation if a malicious snappy block was provided. The patch mitigates this by calling a new `snappy.Decode` wrapper that enforces a `maxSnappyBlockSize` limit.

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

2.7

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2025-65942: VictoriaMetrics' Snappy Decoder DoS Vulnerability is Causing OOM

Impact

Patches

Resources

Note

CVE-2025-65942:

2.7

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

CVE-2025-65942: VictoriaMetrics' Snappy Decoder DoS Vulnerability is Causing OOM

Impact

Patches

Resources

Note

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

2.7

2.7

Basic Information

Basic Information

Technical Details

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI