GHSA-GW2X-Q739-QHCR

Vulnerability from github – Published: 2026-01-07 18:36 – Updated: 2026-01-07 21:34
VLAI?
Summary
RustFS gRPC GetMetrics deserialization panic enables remote DoS
Details

Summary

A malformed gRPC GetMetrics request causes get_metrics to unwrap() failed deserialization of metric_type/opts, panicking the handler thread and enabling remote denial of service of the metrics endpoint.

Details

  • Vulnerable code: rustfs/src/storage/tonic_service.rs:1775-1782:
  • MetricType and CollectMetricsOpts are deserialized with Deserialize::deserialize(...).unwrap() from client-supplied bytes.
  • Malformed metric_type/opts (e.g., empty or truncated rmp-serde payloads) trigger InvalidMarkerRead and panic.
  • Reachability: same TCP listener as S3 (default :9000); only a static interceptor token authorization: rustfs rpc is checked in server/http.rs:677.
  • Impact scope: panic terminates the worker handling the request, causing metrics service interruption and potential process instability.

PoC

rustfs-grpc-metrics-invalid-metric-type-panic-poc.tar.gz

1) Start RustFS (example local dev):

mkdir -p /tmp/rustfs-data1 /tmp/rustfs-data2
RUSTFS_ACCESS_KEY=devadmin RUSTFS_SECRET_KEY=devadmin \
  cargo run --bin rustfs -- --address 0.0.0.0:9000 \
  /tmp/rustfs-data1 /tmp/rustfs-data2

2) From rustfs-grpc-metrics-invalid-metric-type-panic-poc/, run:

ENDPOINT=127.0.0.1:9000 make run
# or: grpcurl -plaintext \
#   -H 'authorization: rustfs rpc' \
#   -import-path ../crates/protos/src -proto node.proto \
#   -d '{"metric_type":"","opts":""}' \
#   127.0.0.1:9000 node_service.NodeService/GetMetrics

3) Observe panic in server logs at tonic_service.rs:get_metrics with InvalidMarkerRead and worker crash; client output saved to poc-response.txt/poc-grpcurl.log.

Impact

  • Vulnerability type: remote unauthenticated (static token) denial of service via panic in gRPC handler.
  • Who is impacted: any deployment exposing the gRPC endpoint where an attacker can reach port 9000 and supply the known authorization: rustfs rpc header; metrics service is disrupted and may affect overall stability depending on runtime crash handling.
Severity ?
5.5 (Medium)
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P
Show details on source website
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 1.0.0-alpha.77"
      },
      "package": {
        "ecosystem": "crates.io",
        "name": "rustfs"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.0.0-alpha.13"
            },
            {
              "fixed": "1.0.0-alpha.78"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-69255"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-755"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-01-07T18:36:23Z",
    "nvd_published_at": "2026-01-07T21:16:00Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\nA malformed gRPC `GetMetrics` request causes `get_metrics` to `unwrap()` failed deserialization of `metric_type`/`opts`, panicking the handler thread and enabling remote denial of service of the metrics endpoint.\n\n### Details\n- Vulnerable code: `rustfs/src/storage/tonic_service.rs:1775-1782`:\n  - `MetricType` and `CollectMetricsOpts` are deserialized with `Deserialize::deserialize(...).unwrap()` from client-supplied bytes.\n  - Malformed `metric_type`/`opts` (e.g., empty or truncated rmp-serde payloads) trigger `InvalidMarkerRead` and panic.\n- Reachability: same TCP listener as S3 (default `:9000`); only a static interceptor token `authorization: rustfs rpc` is checked in `server/http.rs:677`.\n- Impact scope: panic terminates the worker handling the request, causing metrics service interruption and potential process instability.\n\n### PoC\n\n[rustfs-grpc-metrics-invalid-metric-type-panic-poc.tar.gz](https://github.com/user-attachments/files/24038341/rustfs-grpc-metrics-invalid-metric-type-panic-poc.tar.gz)\n\n\n1) Start RustFS (example local dev):\n```bash\nmkdir -p /tmp/rustfs-data1 /tmp/rustfs-data2\nRUSTFS_ACCESS_KEY=devadmin RUSTFS_SECRET_KEY=devadmin \\\n  cargo run --bin rustfs -- --address 0.0.0.0:9000 \\\n  /tmp/rustfs-data1 /tmp/rustfs-data2\n```\n2) From `rustfs-grpc-metrics-invalid-metric-type-panic-poc/`, run:\n```bash\nENDPOINT=127.0.0.1:9000 make run\n# or: grpcurl -plaintext \\\n#   -H \u0027authorization: rustfs rpc\u0027 \\\n#   -import-path ../crates/protos/src -proto node.proto \\\n#   -d \u0027{\"metric_type\":\"\",\"opts\":\"\"}\u0027 \\\n#   127.0.0.1:9000 node_service.NodeService/GetMetrics\n```\n3) Observe panic in server logs at `tonic_service.rs:get_metrics` with `InvalidMarkerRead` and worker crash; client output saved to `poc-response.txt`/`poc-grpcurl.log`.\n\n### Impact\n- Vulnerability type: remote unauthenticated (static token) denial of service via panic in gRPC handler.\n- Who is impacted: any deployment exposing the gRPC endpoint where an attacker can reach port 9000 and supply the known `authorization: rustfs rpc` header; metrics service is disrupted and may affect overall stability depending on runtime crash handling.",
  "id": "GHSA-gw2x-q739-qhcr",
  "modified": "2026-01-07T21:34:37Z",
  "published": "2026-01-07T18:36:23Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/rustfs/rustfs/security/advisories/GHSA-gw2x-q739-qhcr"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-69255"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rustfs/rustfs/commit/eb33e82b56ed11fd12bb39416359d8d60737dc7a"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/rustfs/rustfs"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P",
      "type": "CVSS_V4"
    }
  ],
  "summary": "RustFS gRPC GetMetrics deserialization panic enables remote DoS"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.