CWE-772
Missing Release of Resource after Effective Lifetime
The product does not release a resource after its effective lifetime has ended, i.e., after the resource is no longer needed.
CVE-2025-27421 (GCVE-0-2025-27421)
Vulnerability from cvelistv5 – Published: 2025-03-03 16:19 – Updated: 2025-03-03 16:41
VLAI
Title
Goroutine Leak in Abacus SSE Implementation
Summary
Abacus is a highly scalable and stateless counting API. A critical goroutine leak vulnerability has been identified in the Abacus server's Server-Sent Events (SSE) implementation. The issue occurs when clients disconnect from the /stream endpoint, as the server fails to properly clean up resources and terminate associated goroutines. This leads to resource exhaustion where the server continues running but eventually stops accepting new SSE connections while maintaining high memory usage. The vulnerability specifically involves improper channel cleanup in the event handling mechanism, causing goroutines to remain blocked indefinitely. This vulnerability is fixed in 1.4.0.
Severity
7.5 (High)
CWE
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/JasonLovesDoggo/abacus/securit… | x_refsource_CONFIRM |
| https://github.com/JasonLovesDoggo/abacus/commit/… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| JasonLovesDoggo | abacus |
Affected:
< 1.4.0
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-27421",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-03T16:40:35.160534Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-03T16:41:28.153Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "abacus",
"vendor": "JasonLovesDoggo",
"versions": [
{
"status": "affected",
"version": "\u003c 1.4.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Abacus is a highly scalable and stateless counting API. A critical goroutine leak vulnerability has been identified in the Abacus server\u0027s Server-Sent Events (SSE) implementation. The issue occurs when clients disconnect from the /stream endpoint, as the server fails to properly clean up resources and terminate associated goroutines. This leads to resource exhaustion where the server continues running but eventually stops accepting new SSE connections while maintaining high memory usage. The vulnerability specifically involves improper channel cleanup in the event handling mechanism, causing goroutines to remain blocked indefinitely. This vulnerability is fixed in 1.4.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400: Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-772",
"description": "CWE-772: Missing Release of Resource after Effective Lifetime",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-03T16:19:23.914Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/JasonLovesDoggo/abacus/security/advisories/GHSA-vh64-54px-qgf8",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/JasonLovesDoggo/abacus/security/advisories/GHSA-vh64-54px-qgf8"
},
{
"name": "https://github.com/JasonLovesDoggo/abacus/commit/898ff1204e11317cc161240b660e63eed5a72b33",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/JasonLovesDoggo/abacus/commit/898ff1204e11317cc161240b660e63eed5a72b33"
}
],
"source": {
"advisory": "GHSA-vh64-54px-qgf8",
"discovery": "UNKNOWN"
},
"title": "Goroutine Leak in Abacus SSE Implementation"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-27421",
"datePublished": "2025-03-03T16:19:23.914Z",
"dateReserved": "2025-02-24T15:51:17.269Z",
"dateUpdated": "2025-03-03T16:41:28.153Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-30256 (GCVE-0-2025-30256)
Vulnerability from cvelistv5 – Published: 2025-08-20 13:09 – Updated: 2025-11-03 18:09
VLAI
Summary
A denial of service vulnerability exists in the HTTP Header Parsing functionality of Tenda AC6 V5.0 V02.03.01.110. A specially crafted series of HTTP requests can lead to a reboot. An attacker can send multiple network packets to trigger this vulnerability.
Severity
8.6 (High)
CWE
- CWE-772 - Missing Release of Resource after Effective Lifetime
Assigner
References
1 reference
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-30256",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-08-20T13:52:56.661921Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-08-20T15:12:34.687Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-03T18:09:00.836Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2025-2166"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "AC6 V5.0",
"vendor": "Tenda",
"versions": [
{
"status": "affected",
"version": "V02.03.01.110"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Discovered by Lilith \u0026gt;_\u0026gt; of Cisco Talos."
}
],
"descriptions": [
{
"lang": "en",
"value": "A denial of service vulnerability exists in the HTTP Header Parsing functionality of Tenda AC6 V5.0 V02.03.01.110. A specially crafted series of HTTP requests can lead to a reboot. An attacker can send multiple network packets to trigger this vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-772",
"description": "CWE-772: Missing Release of Resource after Effective Lifetime",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-20T13:09:06.026Z",
"orgId": "b86d76f8-0f8a-4a96-a78d-d8abfc7fc29b",
"shortName": "talos"
},
"references": [
{
"name": "https://talosintelligence.com/vulnerability_reports/TALOS-2025-2166",
"url": "https://talosintelligence.com/vulnerability_reports/TALOS-2025-2166"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "b86d76f8-0f8a-4a96-a78d-d8abfc7fc29b",
"assignerShortName": "talos",
"cveId": "CVE-2025-30256",
"datePublished": "2025-08-20T13:09:06.026Z",
"dateReserved": "2025-03-31T11:59:44.601Z",
"dateUpdated": "2025-11-03T18:09:00.836Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-36071 (GCVE-0-2025-36071)
Vulnerability from cvelistv5 – Published: 2025-07-29 18:27 – Updated: 2025-07-29 19:32
VLAI
Title
IBM Db2 denial of service
Summary
IBM Db2 for Linux, UNIX and Windows (includes DB2 Connect Server) 11.5.0 through 11.5.9 and 12.1.0 through 12.1.2 is vulnerable to a denial of service as the server may crash under certain conditions with a specially crafted query due to improper release of memory resources.
Severity
6.5 (Medium)
CWE
- CWE-772 - Missing Release of Resource after Effective Lifetime
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://www.ibm.com/support/pages/node/7240955 | vendor-advisorypatch |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| IBM | IBM Db2 |
Affected:
11.5.0 , ≤ 11.5.9
(semver)
Affected: 12.1.0 , ≤ 12.1.2 (semver) cpe:2.3:a:ibm:db2:11.5.0:*:*:*:*:linux:*:* cpe:2.3:a:ibm:db2:11.5.0:*:*:*:*:unix:*:* cpe:2.3:a:ibm:db2:11.5.0:*:*:*:*:aix:*:* cpe:2.3:a:ibm:db2:11.5.0:*:*:*:*:windows:*:* cpe:2.3:a:ibm:db2:11.5.0:*:*:*:*:zos:*:* cpe:2.3:a:ibm:db2:11.5.9:*:*:*:*:linux:*:* cpe:2.3:a:ibm:db2:11.5.9:*:*:*:*:unix:*:* cpe:2.3:a:ibm:db2:11.5.9:*:*:*:*:aix:*:* cpe:2.3:a:ibm:db2:11.5.9:*:*:*:*:windows:*:* cpe:2.3:a:ibm:db2:11.5.9:*:*:*:*:zos:*:* cpe:2.3:a:ibm:db2:12.1.0:*:*:*:*:linux:*:* cpe:2.3:a:ibm:db2:12.1.0:*:*:*:*:unix:*:* cpe:2.3:a:ibm:db2:12.1.0:*:*:*:*:aix:*:* cpe:2.3:a:ibm:db2:12.1.0:*:*:*:*:windows:*:* cpe:2.3:a:ibm:db2:12.1.0:*:*:*:*:zos:*:* cpe:2.3:a:ibm:db2:12.1.1:*:*:*:*:linux:*:* cpe:2.3:a:ibm:db2:12.1.1:*:*:*:*:unix:*:* cpe:2.3:a:ibm:db2:12.1.1:*:*:*:*:aix:*:* cpe:2.3:a:ibm:db2:12.1.1:*:*:*:*:windows:*:* cpe:2.3:a:ibm:db2:12.1.1:*:*:*:*:zos:*:* cpe:2.3:a:ibm:db2:12.1.2:*:*:*:*:linux:*:* cpe:2.3:a:ibm:db2:12.1.2:*:*:*:*:unix:*:* cpe:2.3:a:ibm:db2:12.1.2:*:*:*:*:aix:*:* cpe:2.3:a:ibm:db2:12.1.2:*:*:*:*:windows:*:* cpe:2.3:a:ibm:db2:12.1.2:*:*:*:*:zos:*:* |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-36071",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-29T19:32:03.369341Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-29T19:32:16.496Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:ibm:db2:11.5.0:*:*:*:*:linux:*:*",
"cpe:2.3:a:ibm:db2:11.5.0:*:*:*:*:unix:*:*",
"cpe:2.3:a:ibm:db2:11.5.0:*:*:*:*:aix:*:*",
"cpe:2.3:a:ibm:db2:11.5.0:*:*:*:*:windows:*:*",
"cpe:2.3:a:ibm:db2:11.5.0:*:*:*:*:zos:*:*",
"cpe:2.3:a:ibm:db2:11.5.9:*:*:*:*:linux:*:*",
"cpe:2.3:a:ibm:db2:11.5.9:*:*:*:*:unix:*:*",
"cpe:2.3:a:ibm:db2:11.5.9:*:*:*:*:aix:*:*",
"cpe:2.3:a:ibm:db2:11.5.9:*:*:*:*:windows:*:*",
"cpe:2.3:a:ibm:db2:11.5.9:*:*:*:*:zos:*:*",
"cpe:2.3:a:ibm:db2:12.1.0:*:*:*:*:linux:*:*",
"cpe:2.3:a:ibm:db2:12.1.0:*:*:*:*:unix:*:*",
"cpe:2.3:a:ibm:db2:12.1.0:*:*:*:*:aix:*:*",
"cpe:2.3:a:ibm:db2:12.1.0:*:*:*:*:windows:*:*",
"cpe:2.3:a:ibm:db2:12.1.0:*:*:*:*:zos:*:*",
"cpe:2.3:a:ibm:db2:12.1.1:*:*:*:*:linux:*:*",
"cpe:2.3:a:ibm:db2:12.1.1:*:*:*:*:unix:*:*",
"cpe:2.3:a:ibm:db2:12.1.1:*:*:*:*:aix:*:*",
"cpe:2.3:a:ibm:db2:12.1.1:*:*:*:*:windows:*:*",
"cpe:2.3:a:ibm:db2:12.1.1:*:*:*:*:zos:*:*",
"cpe:2.3:a:ibm:db2:12.1.2:*:*:*:*:linux:*:*",
"cpe:2.3:a:ibm:db2:12.1.2:*:*:*:*:unix:*:*",
"cpe:2.3:a:ibm:db2:12.1.2:*:*:*:*:aix:*:*",
"cpe:2.3:a:ibm:db2:12.1.2:*:*:*:*:windows:*:*",
"cpe:2.3:a:ibm:db2:12.1.2:*:*:*:*:zos:*:*"
],
"defaultStatus": "unaffected",
"platforms": [
"Windows",
"Linux",
"Unix",
"AIX",
"z/OS"
],
"product": "IBM Db2",
"vendor": "IBM",
"versions": [
{
"lessThanOrEqual": "11.5.9",
"status": "affected",
"version": "11.5.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "12.1.2",
"status": "affected",
"version": "12.1.0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "IBM Db2 for Linux, UNIX and Windows (includes DB2 Connect Server) 11.5.0 through 11.5.9 and 12.1.0 through 12.1.2 is vulnerable to a denial of service as the server may crash under certain conditions with a specially crafted query due to improper release of memory resources."
}
],
"value": "IBM Db2 for Linux, UNIX and Windows (includes DB2 Connect Server) 11.5.0 through 11.5.9 and 12.1.0 through 12.1.2 is vulnerable to a denial of service as the server may crash under certain conditions with a specially crafted query due to improper release of memory resources."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-772",
"description": "CWE-772 Missing Release of Resource after Effective Lifetime",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-29T18:27:40.227Z",
"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"shortName": "ibm"
},
"references": [
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://www.ibm.com/support/pages/node/7240955"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Customers running any vulnerable affected level of an affected Program V11.5, and V12.1 can download the special build containing the interim fix for this issue from Fix Central. These special builds are available based on the most recent affected level for each impacted release: V11.5.9, V12.1.1 and V12.1.2. They can be applied to any affected mod pack level of the appropriate release to remediate this vulnerability.\u003cbr\u003e\u003cbr\u003e \u003cbr\u003e\u003cbr\u003eRelease Fixed in mod pack APAR Download URL\u003cbr\u003eV11.5 TBD DT425663 \u003cbr\u003eSpecial Build #62071 or later for V11.5.9 available at this link:\u003cbr\u003e\u003cbr\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.ibm.com/support/pages/node/7087189\"\u003ehttps://www.ibm.com/support/pages/node/7087189\u003c/a\u003e\u003cbr\u003eV12.1 V12.1.2 DT425663 \u003cbr\u003eSpecial Build #62100 or later for V12.1.1 available at this link:\u003cbr\u003e\u003cbr\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.ibm.com/support/pages/db2-v1211-published-cumulative-special-build-downloads#52441\"\u003ehttps://www.ibm.com/support/pages/db2-v1211-published-cumulative-special-build-downloads#52441\u003c/a\u003e\u003cbr\u003e\u003cbr\u003e12.1.2 Latest:\u003cbr\u003e\u003cbr\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.ibm.com/support/pages/db2-v1212-published-cumulative-special-build-downloads\"\u003ehttps://www.ibm.com/support/pages/db2-v1212-published-cumulative-special-build-downloads\u003c/a\u003e\u003cbr\u003e\u003cbr\u003e \u003cbr\u003e\u003cbr\u003eIBM does not disclose key Db2 functionality nor replication steps for a vulnerability to avoid providing too much information to any potential malicious attacker. IBM does not want to enable a malicious attacker with sufficient knowledge to craft an exploit of the vulnerability.\u003cbr\u003e\u003cbr\u003eNote: After December 31, 2025, 11.1 and 10.5 versions of Db2 will not have security fixes made available as they will reach EoS.\u003cbr\u003e"
}
],
"value": "Customers running any vulnerable affected level of an affected Program V11.5, and V12.1 can download the special build containing the interim fix for this issue from Fix Central. These special builds are available based on the most recent affected level for each impacted release: V11.5.9, V12.1.1 and V12.1.2. They can be applied to any affected mod pack level of the appropriate release to remediate this vulnerability.\n\n \n\nRelease Fixed in mod pack APAR Download URL\nV11.5 TBD DT425663 \nSpecial Build #62071 or later for V11.5.9 available at this link:\n\n https://www.ibm.com/support/pages/node/7087189 \nV12.1 V12.1.2 DT425663 \nSpecial Build #62100 or later for V12.1.1 available at this link:\n\n https://www.ibm.com/support/pages/db2-v1211-published-cumulative-special-build-downloads#52441 \n\n12.1.2 Latest:\n\n https://www.ibm.com/support/pages/db2-v1212-published-cumulative-special-build-downloads \n\n \n\nIBM does not disclose key Db2 functionality nor replication steps for a vulnerability to avoid providing too much information to any potential malicious attacker. IBM does not want to enable a malicious attacker with sufficient knowledge to craft an exploit of the vulnerability.\n\nNote: After December 31, 2025, 11.1 and 10.5 versions of Db2 will not have security fixes made available as they will reach EoS."
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "IBM Db2 denial of service",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"assignerShortName": "ibm",
"cveId": "CVE-2025-36071",
"datePublished": "2025-07-29T18:27:40.227Z",
"dateReserved": "2025-04-15T21:16:13.121Z",
"dateUpdated": "2025-07-29T19:32:16.496Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-36128 (GCVE-0-2025-36128)
Vulnerability from cvelistv5 – Published: 2025-10-16 16:49 – Updated: 2025-10-16 18:13
VLAI
Title
IBM MQ denial of service
Summary
IBM MQ 9.1, 9.2, 9.3, 9.4 LTS and 9.3, 9.4 CD is vulnerable to a denial of service, caused by improper enforcement of the timeout on individual read operations. By conducting slowloris-type attacks, a remote attacker could exploit this vulnerability to cause a denial of service.
Severity
7.5 (High)
CWE
- CWE-772 - Missing Release of Resource after Effective Lifetime
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://www.ibm.com/support/pages/node/7244480 | vendor-advisorypatch |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| IBM | MQ |
Affected:
9.1
Affected: 9.2 Affected: 9.3 Affected: 9.4 cpe:2.3:a:ibm:mq:9.1.0:*:*:*:lts:*:*:* cpe:2.3:a:ibm:mq:9.2.0:*:*:*:lts:*:*:* cpe:2.3:a:ibm:mq:9.3.0:*:*:*:lts:*:*:* cpe:2.3:a:ibm:mq:9.4.0:*:*:*:lts:*:*:* |
|
| IBM | MQ |
Affected:
9.3
Affected: 9.4 cpe:2.3:a:ibm:mq:9.3.0:*:*:*:continuous_delivery:*:*:* cpe:2.3:a:ibm:mq:9.4.0:*:*:*:continuous_delivery:*:*:* |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-36128",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-16T18:03:23.348860Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-16T18:13:32.234Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:ibm:mq:9.1.0:*:*:*:lts:*:*:*",
"cpe:2.3:a:ibm:mq:9.2.0:*:*:*:lts:*:*:*",
"cpe:2.3:a:ibm:mq:9.3.0:*:*:*:lts:*:*:*",
"cpe:2.3:a:ibm:mq:9.4.0:*:*:*:lts:*:*:*"
],
"defaultStatus": "unaffected",
"product": "MQ",
"vendor": "IBM",
"versions": [
{
"status": "affected",
"version": "9.1"
},
{
"status": "affected",
"version": "9.2"
},
{
"status": "affected",
"version": "9.3"
},
{
"status": "affected",
"version": "9.4"
}
],
"x_SWEdition": "LTS"
},
{
"cpes": [
"cpe:2.3:a:ibm:mq:9.3.0:*:*:*:continuous_delivery:*:*:*",
"cpe:2.3:a:ibm:mq:9.4.0:*:*:*:continuous_delivery:*:*:*"
],
"defaultStatus": "unaffected",
"product": "MQ",
"vendor": "IBM",
"versions": [
{
"status": "affected",
"version": "9.3"
},
{
"status": "affected",
"version": "9.4"
}
],
"x_SWEdition": "CD"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "IBM MQ 9.1, 9.2, 9.3, 9.4 LTS and 9.3, 9.4 CD is vulnerable to a denial of service, caused by improper enforcement of the timeout on individual read operations. By conducting slowloris-type attacks, a remote attacker could exploit this vulnerability to cause a denial of service."
}
],
"value": "IBM MQ 9.1, 9.2, 9.3, 9.4 LTS and 9.3, 9.4 CD is vulnerable to a denial of service, caused by improper enforcement of the timeout on individual read operations. By conducting slowloris-type attacks, a remote attacker could exploit this vulnerability to cause a denial of service."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-772",
"description": "CWE-772 Missing Release of Resource after Effective Lifetime",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-16T16:49:26.251Z",
"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"shortName": "ibm"
},
"references": [
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://www.ibm.com/support/pages/node/7244480"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eTo secure IBM WebSphere Liberty profile shipped with IBM MQ from Slowloris DDoS attacks, use one of the following methods:\u003c/p\u003e\u003cp\u003e1. Load Balancer Configuration\u003c/p\u003e\u003cp\u003eIf the setup involves a load balancer in front of the IBM WebSphere Liberty profile of IBM MQ, configure the load balancer to handle Slowloris-style attacks. A load balancer acts as an intermediary between clients and Liberty, distributing incoming requests across multiple backend servers.\u003c/p\u003e\u003cp\u003eBy using hardware load balancers with properly configured HTTP profiles, only complete and valid HTTP requests are forwarded to the web server, effectively filtering out the partial requests caused by Slowloris. This approach helps to prevent the attack from overwhelming the server, allowing it to continue serving legitimate traffic. Refer to IBM WebSphere Liberty documentation for configuration details.\u003c/p\u003e\u003cp\u003e2. Reverse Proxy\u003c/p\u003e\u003cp\u003eConsider using a reverse proxy to handle client requests. The reverse proxy can implement various security measures, including request buffering and handling connection timeouts, to mitigate Slowloris attacks.\u003c/p\u003e\u003cp\u003e3. Web Application Firewall (WAF)\u003c/p\u003e\u003cp\u003eDeploy a Web Application Firewall that can detect and block Slowloris-style attacks. A WAF can analyze incoming traffic, identify suspicious patterns indicative of Slowloris attacks, and block such requests before they reach the application server.\u003c/p\u003e\u003cp\u003e4. Limit Concurrent Connections\u003c/p\u003e\u003cp\u003eImplement a limit on the number of concurrent connections allowed from a single IP address or source. This helps to prevent an attack from establishing numerous connections and consuming all available server resources.\u003c/p\u003e\u003cp\u003e5. Traffic Rate Limiting\u003c/p\u003e\u003cp\u003eImplement rate-limiting mechanisms on the server to restrict the number of requests from a single IP address or source within a specific time frame. This method helps to prevent an attack from sending a pool of requests in a short period.\u003c/p\u003e\n\n\u003cbr\u003e"
}
],
"value": "To secure IBM WebSphere Liberty profile shipped with IBM MQ from Slowloris DDoS attacks, use one of the following methods:\n\n1. Load Balancer Configuration\n\nIf the setup involves a load balancer in front of the IBM WebSphere Liberty profile of IBM MQ, configure the load balancer to handle Slowloris-style attacks. A load balancer acts as an intermediary between clients and Liberty, distributing incoming requests across multiple backend servers.\n\nBy using hardware load balancers with properly configured HTTP profiles, only complete and valid HTTP requests are forwarded to the web server, effectively filtering out the partial requests caused by Slowloris. This approach helps to prevent the attack from overwhelming the server, allowing it to continue serving legitimate traffic. Refer to IBM WebSphere Liberty documentation for configuration details.\n\n2. Reverse Proxy\n\nConsider using a reverse proxy to handle client requests. The reverse proxy can implement various security measures, including request buffering and handling connection timeouts, to mitigate Slowloris attacks.\n\n3. Web Application Firewall (WAF)\n\nDeploy a Web Application Firewall that can detect and block Slowloris-style attacks. A WAF can analyze incoming traffic, identify suspicious patterns indicative of Slowloris attacks, and block such requests before they reach the application server.\n\n4. Limit Concurrent Connections\n\nImplement a limit on the number of concurrent connections allowed from a single IP address or source. This helps to prevent an attack from establishing numerous connections and consuming all available server resources.\n\n5. Traffic Rate Limiting\n\nImplement rate-limiting mechanisms on the server to restrict the number of requests from a single IP address or source within a specific time frame. This method helps to prevent an attack from sending a pool of requests in a short period."
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "IBM MQ denial of service",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"assignerShortName": "ibm",
"cveId": "CVE-2025-36128",
"datePublished": "2025-10-16T16:49:26.251Z",
"dateReserved": "2025-04-15T21:16:18.171Z",
"dateUpdated": "2025-10-16T18:13:32.234Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-3864 (GCVE-0-2025-3864)
Vulnerability from cvelistv5 – Published: 2025-05-28 11:19 – Updated: 2026-01-26 12:13 X_Open Source
VLAI
Title
Connection pool exhaustion in hackney
Summary
Hackney fails to properly release HTTP connections to the pool after handling 307 Temporary Redirect responses. Remote attackers can exploit this to exhaust connection pools, causing denial of service in applications using the library.
Fix for this issue has been included in 1.24.0 release.
Severity
CWE
- CWE-772 - Missing Release of Resource after Effective Lifetime
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/benoitc/hackney/issues/717 | issue-tracking |
| https://cert.pl/en/posts/2025/05/CVE-2025-3864/ | third-party-advisory |
| https://github.com/benoitc/hackney/commit/8f13dda… | patch |
Date Public
2025-05-27 10:05
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-3864",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-28T13:17:43.365984Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-28T13:17:57.950Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "hackney",
"repo": "https://github.com/benoitc/hackney",
"vendor": "hackney",
"versions": [
{
"lessThan": "1.24.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Micha\u0142 Majchrowicz, Marcin Wyczechowski, and Pawe\u0142 Zdunek \u2014 members of the AFINE Team"
}
],
"datePublic": "2025-05-27T10:05:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Hackney fails to properly release HTTP connections to the pool after handling 307 Temporary Redirect responses. Remote attackers can exploit this to exhaust connection pools, causing denial of service in applications using the library.\u003cbr\u003eFix for this issue has been included in\u0026nbsp;1.24.0 release."
}
],
"value": "Hackney fails to properly release HTTP connections to the pool after handling 307 Temporary Redirect responses. Remote attackers can exploit this to exhaust connection pools, causing denial of service in applications using the library.\nFix for this issue has been included in\u00a01.24.0 release."
}
],
"impacts": [
{
"capecId": "CAPEC-469",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-469 HTTP DoS"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 2.3,
"baseSeverity": "LOW",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-772",
"description": "CWE-772 Missing Release of Resource after Effective Lifetime",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-26T12:13:02.411Z",
"orgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6",
"shortName": "CERT-PL"
},
"references": [
{
"tags": [
"issue-tracking"
],
"url": "https://github.com/benoitc/hackney/issues/717"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://cert.pl/en/posts/2025/05/CVE-2025-3864/"
},
{
"tags": [
"patch"
],
"url": "https://github.com/benoitc/hackney/commit/8f13ddac50d1626f8b9a47a08bd599e4efe1773d"
}
],
"source": {
"discovery": "EXTERNAL"
},
"tags": [
"x_open-source"
],
"title": "Connection pool exhaustion in hackney",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6",
"assignerShortName": "CERT-PL",
"cveId": "CVE-2025-3864",
"datePublished": "2025-05-28T11:19:15.208Z",
"dateReserved": "2025-04-22T08:43:49.641Z",
"dateUpdated": "2026-01-26T12:13:02.411Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-44003 (GCVE-0-2025-44003)
Vulnerability from cvelistv5 – Published: 2025-07-10 03:09 – Updated: 2025-07-10 13:11
VLAI
Summary
Missing Release of Resource after Effective Lifetime (CWE-772) in the Gallagher T-Series Reader allows an attacker with physical access to the reader to perform a limited denial of service when 125 kHz Card Technology is enabled.
This issue affects T-Series Readers: 9.20 prior to vCR9.20.250213a (distributed in 9.20.1827 (MR2)), 9.10 prior to vCR9.10.250213a (distributed in 9.10.2692(MR5)), 9.00 prior to vCR9.00.250619a (distributed in vEL9.00.3371 (MR7)), all versions of 8.90 and prior.
Severity
4.3 (Medium)
CWE
- CWE-772 - Missing Release of Resource after Effective Lifetime
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Gallagher | T-Series Readers |
Affected:
0 , ≤ 8.90
(custom)
Affected: 9.20 , < vCR9.20.250213a (custom) Affected: 9.10 , < vCR9.10.250213a (custom) Affected: 9.00 , < vCR9.00.250619a (custom) |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-44003",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-10T13:11:06.416095Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-10T13:11:13.511Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "T-Series Readers",
"vendor": "Gallagher",
"versions": [
{
"lessThanOrEqual": "8.90",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "vCR9.20.250213a",
"status": "affected",
"version": "9.20",
"versionType": "custom"
},
{
"lessThan": "vCR9.10.250213a",
"status": "affected",
"version": "9.10",
"versionType": "custom"
},
{
"lessThan": "vCR9.00.250619a",
"status": "affected",
"version": "9.00",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eMissing Release of Resource after Effective Lifetime (CWE-772) in the Gallagher T-Series Reader allows an attacker with physical access to the reader to perform a limited denial of service when 125 kHz Card Technology is enabled.\u003c/span\u003e\n\n\u003cp\u003eThis issue affects T-Series Readers: \u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e9.20 prior to vCR9.20.250213a (distributed in 9.20.1827 (MR2)), 9.10 prior to vCR9.10.250213a (distributed in 9.10.2692(MR5)), 9.00 prior to vCR9.00.250619a (distributed in \u0026nbsp;vEL9.00.3371 (MR7)), \u0026nbsp;all versions of 8.90 and prior. \u003c/span\u003e\n\n\u003c/p\u003e"
}
],
"value": "Missing Release of Resource after Effective Lifetime (CWE-772) in the Gallagher T-Series Reader allows an attacker with physical access to the reader to perform a limited denial of service when 125 kHz Card Technology is enabled.\n\nThis issue affects T-Series Readers: 9.20 prior to vCR9.20.250213a (distributed in 9.20.1827 (MR2)), 9.10 prior to vCR9.10.250213a (distributed in 9.10.2692(MR5)), 9.00 prior to vCR9.00.250619a (distributed in \u00a0vEL9.00.3371 (MR7)), \u00a0all versions of 8.90 and prior."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-772",
"description": "CWE-772 Missing Release of Resource after Effective Lifetime",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-10T03:09:43.640Z",
"orgId": "0c426f27-3ee1-4eff-be88-288d5a1822bc",
"shortName": "Gallagher"
},
"references": [
{
"url": "https://security.gallagher.com/en-NZ/Security-Advisories/CVE-2025-44003"
}
],
"source": {
"discovery": "INTERNAL"
},
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "0c426f27-3ee1-4eff-be88-288d5a1822bc",
"assignerShortName": "Gallagher",
"cveId": "CVE-2025-44003",
"datePublished": "2025-07-10T03:09:43.640Z",
"dateReserved": "2025-06-17T02:18:59.237Z",
"dateUpdated": "2025-07-10T13:11:13.511Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-54983 (GCVE-0-2025-54983)
Vulnerability from cvelistv5 – Published: 2025-11-12 03:07 – Updated: 2025-11-12 18:18
VLAI
Title
Health check port on ZCC allows tunnel bypass
Summary
A health check port on Zscaler Client Connector on Windows, versions 4.6 < 4.6.0.216 and 4.7 < 4.7.0.47, which under specific circumstances was not released after use, allowed traffic to potentially bypass ZCC forwarding controls.
Severity
5.2 (Medium)
CWE
- CWE-772 - Missing Release of Resource after Effective Lifetime
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Zscaler | Zscaler Client Connector |
Affected:
4.6 , < 4.6.0.216
(custom)
Affected: 4.7 , < 4.7.0.47 (custom) |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-54983",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-12T18:18:25.758917Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-12T18:18:36.813Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"Windows"
],
"product": "Zscaler Client Connector",
"vendor": "Zscaler",
"versions": [
{
"lessThan": "4.6.0.216",
"status": "affected",
"version": "4.6",
"versionType": "custom"
},
{
"lessThan": "4.7.0.47",
"status": "affected",
"version": "4.7",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "other",
"value": "DTCC Team"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "A health check port on Zscaler Client Connector on Windows, versions 4.6 \u0026lt; 4.6.0.216 and 4.7 \u0026lt; 4.7.0.47, which under specific circumstances was not released after use, allowed traffic to potentially bypass ZCC forwarding controls.\n\n\u003cbr\u003e"
}
],
"value": "A health check port on Zscaler Client Connector on Windows, versions 4.6 \u003c 4.6.0.216 and 4.7 \u003c 4.7.0.47, which under specific circumstances was not released after use, allowed traffic to potentially bypass ZCC forwarding controls."
}
],
"impacts": [
{
"capecId": "CAPEC-554",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-554 Functionality Bypass"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 5.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-772",
"description": "CWE-772 Missing Release of Resource after Effective Lifetime",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-12T03:07:39.531Z",
"orgId": "73c6f63b-efac-410d-a0a9-569700f85a04",
"shortName": "Zscaler"
},
"references": [
{
"url": "https://help.zscaler.com/zscaler-client-connector/client-connector-app-release-summary-2025"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Health check port on ZCC allows tunnel bypass",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "73c6f63b-efac-410d-a0a9-569700f85a04",
"assignerShortName": "Zscaler",
"cveId": "CVE-2025-54983",
"datePublished": "2025-11-12T03:07:39.531Z",
"dateReserved": "2025-08-04T14:51:53.367Z",
"dateUpdated": "2025-11-12T18:18:36.813Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-61670 (GCVE-0-2025-61670)
Vulnerability from cvelistv5 – Published: 2025-10-07 18:49 – Updated: 2025-10-07 19:16
VLAI
Title
Wasmtime has memory leak in C API with `externref` and `anyref` types
Summary
Wasmtime is a runtime for WebAssembly. Wasmtime 37.0.0 and 37.0.1 have memory leaks in the C/C++ API when using bindings for the `anyref` or `externref` WebAssembly values. This is caused by a regression introduced during the development of 37.0.0 and all prior versions of Wasmtime are unaffected. If `anyref` or `externref` is not used in the C/C++ API then embeddings are also unaffected by the leaky behavior. The `wasmtime` Rust crate is unaffected by this leak.
Development of Wasmtime 37.0.0 included a refactoring in Rust of changing the old `ManuallyRooted<T>` type to a new `OwnedRooted<T>` type. This change was integrated into Wasmtime's C API but left the C API in a state which had memory leaks. Additionally the new ownership semantics around this type were not reflected into the C++ API, making it leak-prone. A short version of the change is that previously `ManuallyRooted<T>`, as the name implies, required manual calls to an "unroot" operation. If this was forgotten then the memory was still cleaned up when the `wasmtime_store_t` itself was destroyed eventually. Documentation of when to "unroot" was sparse and there were already situations prior to 37.0.0 where memory would be leaked until the store was destroyed anyway. All memory, though, was always bound by the store, and destroying the store would guarantee that there were no memory leaks.
In migrating to `OwnedRooted<T>` the usage of the type in Rust changed. A manual "unroot" operation is no longer required and it happens naturally as a destructor of the `OwnedRooted<T>` type in Rust itself. These new resource ownership semantics were not fully integrated into the preexisting semantics of the C/C++ APIs in Wasmtime. A crucial distinction of `OwnedRooted<T>` vs `ManuallyRooted<T>` is that the `OwnedRooted<T>` type allocates host memory outside of the store. This means that if an `OwnedRooted<T>` is leaked then destroying a store does not release this memory and it's a permanent memory leak on the host.
This led to a few distinct, but related, issues arising: A typo in the `wasmtime_val_unroot` function in the C API meant that it did not actually unroot anything. This meant that even if embedders faithfully call the function then memory will be leaked. If a host-defined function returned a `wasmtime_{externref,anyref}_t` value then the value was never unrooted. The C/C++ API no longer has access to the value and the Rust implementation did not unroot. This meant that any values returned this way were never unrooted. The goal of the C++ API of Wasmtime is to encode automatic memory management in the type system, but the C++ API was not updated when `OwnedRooted<T>` was added. This meant that idiomatic usage of the C++ API would leak memory due to a lack of destructors on values.
These issues have all been fixed in a 37.0.2 release of Wasmtime. The implementation of the C and C++ APIs have been updated accordingly and respectively to account for the changes of ownership here. For example `wasmtime_val_unroot` has been fixed to unroot, the Rust-side implementation of calling an embedder-defined function will unroot return values, and the C++ API now has destructors on the `ExternRef`, `AnyRef`, and `Val` types. These changes have been made to the 37.0.x release branch in a non-API-breaking fashion. Changes to the 38.0.0 release branch (and `main` in the Wasmtime repository) include minor API updates to better accommodate the API semantic changes. The only known workaround at this time is to avoid using `externref` and `anyref` in the C/C++ API of Wasmtime. If avoiding those types is not possible then it's required for users to update to mitigate the leak issue.
Severity
CWE
- CWE-772 - Missing Release of Resource after Effective Lifetime
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/bytecodealliance/wasmtime/secu… | x_refsource_CONFIRM |
| https://github.com/bytecodealliance/wasmtime/comm… | x_refsource_MISC |
| https://github.com/bytecodealliance/wasmtime/rele… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| bytecodealliance | wasmtime |
Affected:
>= 37.0.0, < 37.0.2
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-61670",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-07T19:13:46.389514Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-07T19:16:40.499Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "wasmtime",
"vendor": "bytecodealliance",
"versions": [
{
"status": "affected",
"version": "\u003e= 37.0.0, \u003c 37.0.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Wasmtime is a runtime for WebAssembly. Wasmtime 37.0.0 and 37.0.1 have memory leaks in the C/C++ API when using bindings for the `anyref` or `externref` WebAssembly values. This is caused by a regression introduced during the development of 37.0.0 and all prior versions of Wasmtime are unaffected. If `anyref` or `externref` is not used in the C/C++ API then embeddings are also unaffected by the leaky behavior. The `wasmtime` Rust crate is unaffected by this leak.\n\nDevelopment of Wasmtime 37.0.0 included a refactoring in Rust of changing the old `ManuallyRooted\u003cT\u003e` type to a new `OwnedRooted\u003cT\u003e` type. This change was integrated into Wasmtime\u0027s C API but left the C API in a state which had memory leaks. Additionally the new ownership semantics around this type were not reflected into the C++ API, making it leak-prone. A short version of the change is that previously `ManuallyRooted\u003cT\u003e`, as the name implies, required manual calls to an \"unroot\" operation. If this was forgotten then the memory was still cleaned up when the `wasmtime_store_t` itself was destroyed eventually. Documentation of when to \"unroot\" was sparse and there were already situations prior to 37.0.0 where memory would be leaked until the store was destroyed anyway. All memory, though, was always bound by the store, and destroying the store would guarantee that there were no memory leaks.\n\nIn migrating to `OwnedRooted\u003cT\u003e` the usage of the type in Rust changed. A manual \"unroot\" operation is no longer required and it happens naturally as a destructor of the `OwnedRooted\u003cT\u003e` type in Rust itself. These new resource ownership semantics were not fully integrated into the preexisting semantics of the C/C++ APIs in Wasmtime. A crucial distinction of `OwnedRooted\u003cT\u003e` vs `ManuallyRooted\u003cT\u003e` is that the `OwnedRooted\u003cT\u003e` type allocates host memory outside of the store. This means that if an `OwnedRooted\u003cT\u003e` is leaked then destroying a store does not release this memory and it\u0027s a permanent memory leak on the host.\n\nThis led to a few distinct, but related, issues arising: A typo in the `wasmtime_val_unroot` function in the C API meant that it did not actually unroot anything. This meant that even if embedders faithfully call the function then memory will be leaked. If a host-defined function returned a `wasmtime_{externref,anyref}_t` value then the value was never unrooted. The C/C++ API no longer has access to the value and the Rust implementation did not unroot. This meant that any values returned this way were never unrooted. The goal of the C++ API of Wasmtime is to encode automatic memory management in the type system, but the C++ API was not updated when `OwnedRooted\u003cT\u003e` was added. This meant that idiomatic usage of the C++ API would leak memory due to a lack of destructors on values.\n\nThese issues have all been fixed in a 37.0.2 release of Wasmtime. The implementation of the C and C++ APIs have been updated accordingly and respectively to account for the changes of ownership here. For example `wasmtime_val_unroot` has been fixed to unroot, the Rust-side implementation of calling an embedder-defined function will unroot return values, and the C++ API now has destructors on the `ExternRef`, `AnyRef`, and `Val` types. These changes have been made to the 37.0.x release branch in a non-API-breaking fashion. Changes to the 38.0.0 release branch (and `main` in the Wasmtime repository) include minor API updates to better accommodate the API semantic changes. The only known workaround at this time is to avoid using `externref` and `anyref` in the C/C++ API of Wasmtime. If avoiding those types is not possible then it\u0027s required for users to update to mitigate the leak issue."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "ADJACENT",
"baseScore": 1,
"baseSeverity": "LOW",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "LOW",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "PASSIVE",
"vectorString": "CVSS:4.0/AV:A/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-772",
"description": "CWE-772: Missing Release of Resource after Effective Lifetime",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-07T18:49:53.869Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-vvp9-h8p2-xwfc",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-vvp9-h8p2-xwfc"
},
{
"name": "https://github.com/bytecodealliance/wasmtime/commit/adff9d9d0f09569203709d5687e5a7dc8e1ad0a3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/bytecodealliance/wasmtime/commit/adff9d9d0f09569203709d5687e5a7dc8e1ad0a3"
},
{
"name": "https://github.com/bytecodealliance/wasmtime/releases/tag/v37.0.2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/bytecodealliance/wasmtime/releases/tag/v37.0.2"
}
],
"source": {
"advisory": "GHSA-vvp9-h8p2-xwfc",
"discovery": "UNKNOWN"
},
"title": "Wasmtime has memory leak in C API with `externref` and `anyref` types"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-61670",
"datePublished": "2025-10-07T18:49:53.869Z",
"dateReserved": "2025-09-29T20:25:16.180Z",
"dateUpdated": "2025-10-07T19:16:40.499Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-62723 (GCVE-0-2025-62723)
Vulnerability from cvelistv5 – Published: 2025-10-24 20:16 – Updated: 2025-10-24 20:32
VLAI
Title
FlashMQ does not release memory of queued QoS messages
Summary
FlashMQ is a MQTT broker/server, designed for multi-CPU environments. Prior to version 1.23.2, any authenticated user can create sessions and have them collect QoS messages. When not sent to a client, these are then not released upon (eventual) session expiration. Version 1.23.2 fixes the issue.
Severity
4.3 (Medium)
CWE
- CWE-772 - Missing Release of Resource after Effective Lifetime
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/halfgaar/FlashMQ/security/advi… | x_refsource_CONFIRM |
| https://github.com/halfgaar/FlashMQ/issues/154 | x_refsource_MISC |
| https://github.com/halfgaar/FlashMQ/commit/e86c49… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-62723",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-24T20:31:44.102351Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-24T20:32:00.596Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "FlashMQ",
"vendor": "halfgaar",
"versions": [
{
"status": "affected",
"version": "\u003c 1.23.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "FlashMQ is a MQTT broker/server, designed for multi-CPU environments. Prior to version 1.23.2, any authenticated user can create sessions and have them collect QoS messages. When not sent to a client, these are then not released upon (eventual) session expiration. Version 1.23.2 fixes the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-772",
"description": "CWE-772: Missing Release of Resource after Effective Lifetime",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-24T20:16:34.047Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/halfgaar/FlashMQ/security/advisories/GHSA-7mhp-22q4-r6vv",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/halfgaar/FlashMQ/security/advisories/GHSA-7mhp-22q4-r6vv"
},
{
"name": "https://github.com/halfgaar/FlashMQ/issues/154",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/halfgaar/FlashMQ/issues/154"
},
{
"name": "https://github.com/halfgaar/FlashMQ/commit/e86c49360ef4387440c97f591770cdb9284b4ee9",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/halfgaar/FlashMQ/commit/e86c49360ef4387440c97f591770cdb9284b4ee9"
}
],
"source": {
"advisory": "GHSA-7mhp-22q4-r6vv",
"discovery": "UNKNOWN"
},
"title": "FlashMQ does not release memory of queued QoS messages"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-62723",
"datePublished": "2025-10-24T20:16:34.047Z",
"dateReserved": "2025-10-20T19:41:22.741Z",
"dateUpdated": "2025-10-24T20:32:00.596Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-64734 (GCVE-0-2025-64734)
Vulnerability from cvelistv5 – Published: 2025-11-18 03:26 – Updated: 2025-11-19 16:49
VLAI
Summary
Missing Release of Resource after Effective Lifetime (CWE-772) in the T21 Reader allows an attacker with physical access to the Reader to perform a denial-of-service attack against that specific reader, preventing cardholders from badging for entry.
This issue affects Command Centre Server:
9.30 prior to vCR9.30.251028a (distributed in 9.30.2881 (MR3)), 9.20 prior to vCR9.20.251028a (distributed in 9.20.3265 (MR5)), 9.10 prior to vCR9.10.251028a (distributed in 9.10.4135 (MR8)), all versions of 9.00 and prior.
Severity
CWE
- CWE-772 - Missing Release of Resource after Effective Lifetime
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Gallagher | T21 Reader |
Affected:
0 , ≤ 9.00
(custom)
Affected: 9.30 , < vCR9.30.251028a (custom) Affected: 9.20 , < vCR9.20.251028a (custom) Affected: 9.10 , < vCR9.10.251028a (custom) |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-64734",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-18T15:03:05.849954Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-19T16:49:27.607Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "T21 Reader",
"vendor": "Gallagher",
"versions": [
{
"lessThanOrEqual": "9.00",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "vCR9.30.251028a",
"status": "affected",
"version": "9.30",
"versionType": "custom"
},
{
"lessThan": "vCR9.20.251028a",
"status": "affected",
"version": "9.20",
"versionType": "custom"
},
{
"lessThan": "vCR9.10.251028a",
"status": "affected",
"version": "9.10",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eMissing Release of Resource after Effective Lifetime (CWE-772) in the T21 Reader allows an attacker with physical access to the Reader to perform a denial-of-service attack against that specific reader, preventing cardholders from badging for entry. \u003c/span\u003e\n\n\u003cp\u003eThis issue affects Command Centre Server: \n\n9.30 prior to vCR9.30.251028a (distributed in 9.30.2881 (MR3)), 9.20 prior to vCR9.20.251028a (distributed in 9.20.3265 (MR5)), 9.10 prior to vCR9.10.251028a (distributed in 9.10.4135 (MR8)),\u0026nbsp; all versions of 9.00 and prior.\n\n\u003c/p\u003e"
}
],
"value": "Missing Release of Resource after Effective Lifetime (CWE-772) in the T21 Reader allows an attacker with physical access to the Reader to perform a denial-of-service attack against that specific reader, preventing cardholders from badging for entry. \n\nThis issue affects Command Centre Server: \n\n9.30 prior to vCR9.30.251028a (distributed in 9.30.2881 (MR3)), 9.20 prior to vCR9.20.251028a (distributed in 9.20.3265 (MR5)), 9.10 prior to vCR9.10.251028a (distributed in 9.10.4135 (MR8)),\u00a0 all versions of 9.00 and prior."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "PHYSICAL",
"availabilityImpact": "LOW",
"baseScore": 2.4,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-772",
"description": "CWE-772 Missing Release of Resource after Effective Lifetime",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-18T03:26:44.442Z",
"orgId": "0c426f27-3ee1-4eff-be88-288d5a1822bc",
"shortName": "Gallagher"
},
"references": [
{
"url": "https://security.gallagher.com/en-NZ/Security-Advisories/CVE-2025-64734"
}
],
"source": {
"discovery": "INTERNAL"
},
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "0c426f27-3ee1-4eff-be88-288d5a1822bc",
"assignerShortName": "Gallagher",
"cveId": "CVE-2025-64734",
"datePublished": "2025-11-18T03:26:44.442Z",
"dateReserved": "2025-11-11T04:00:46.427Z",
"dateUpdated": "2025-11-19T16:49:27.607Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
Mitigation ID: MIT-3
Phase: Requirements
Strategy: Language Selection
Description:
- Use a language that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
- For example, languages such as Java, Ruby, and Lisp perform automatic garbage collection that releases memory for objects that have been deallocated.
Mitigation
Phase: Implementation
Description:
- It is good practice to be responsible for freeing all resources you allocate and to be consistent with how and where you free resources in a function. If you allocate resources that you intend to free upon completion of the function, you must be sure to free the resources at all exit points for that function including error conditions.
Mitigation ID: MIT-47
Phases: Operation, Architecture and Design
Strategy: Resource Limitation
Description:
- Use resource-limiting settings provided by the operating system or environment. For example, when managing system resources in POSIX, setrlimit() can be used to set limits for certain types of resources, and getrlimit() can determine how many resources are available. However, these functions are not available on all operating systems.
- When the current levels get close to the maximum that is defined for the application (see CWE-770), then limit the allocation of further resources to privileged users; alternately, begin releasing resources for less-privileged users. While this mitigation may protect the system from attack, it will not necessarily stop attackers from adversely impacting other users.
- Ensure that the application performs the appropriate error checks and error handling in case resources become unavailable (CWE-703).
CAPEC-469: HTTP DoS
An attacker performs flooding at the HTTP level to bring down only a particular web application rather than anything listening on a TCP/IP connection. This denial of service attack requires substantially fewer packets to be sent which makes DoS harder to detect. This is an equivalent of SYN flood in HTTP. The idea is to keep the HTTP session alive indefinitely and then repeat that hundreds of times. This attack targets resource depletion weaknesses in web server software. The web server will wait to attacker's responses on the initiated HTTP sessions while the connection threads are being exhausted.