5.5

CVSS Score

4.0

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-69255

CVE-2025-69255: RustFS gRPC GetMetrics deserialization panic enables remote DoS

RustFS is a distributed object storage system built in Rust. In versions 1.0.0-alpha.13 to 1.0.0-alpha.77, a malformed gRPC GetMetrics request causes get_metrics to unwrap() failed deserialization of metric_type/opts, panicking the handler thread and enabling remote denial of service of the metrics endpoint. This issue has been patched in version 1.0.0-alpha.78.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2025-69255

CVE-2025-69255:

5.5

CVSS Score

4.0

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
rustfs	rust	>= 1.0.0-alpha.13, <= 1.0.0-alpha.77	1.0.0-alpha.78

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability described is a remote denial of service in the GetMetrics gRPC endpoint of RustFS. The advisory explicitly points to rustfs/src/storage/tonic_service.rs:1775-1782 and the use of .unwrap() on deserialization operations. The provided patch eb33e82b56ed11fd12bb39416359d8d60737dc7a confirms this. The changes in rustfs/src/storage/tonic_service.rs clearly show the replacement of .unwrap() with proper error handling within the get_metrics function of the NodeService struct. When a malformed request is sent, the Deserialize::deserialize function returns an Err, and the subsequent .unwrap() call triggers a panic, crashing the worker thread. The vulnerable function is therefore NodeService::get_metrics.

Vulnerable functions

NodeService::get_metrics

rustfs/src/storage/tonic_service.rs

The function deserializes two fields from the gRPC request, `metric_type` and `opts`, using `rmp_serde`. The `.unwrap()` call on the result of the deserialization would cause the thread to panic if the provided byte payload was malformed. This panic in the gRPC handler thread leads to a denial of service.

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

5.5

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2025-69255: RustFS gRPC GetMetrics deserialization panic enables remote DoS

CVE-2025-69255:

5.5

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Basic Information

Basic Information

5.5

5.5

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Technical Details

CVE-2025-69255: RustFS gRPC GetMetrics deserialization panic enables remote DoS

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI