Skip to main content

Apache CloudStack CVE-2025-69233

| EUVD-2025-209744 MEDIUM
Time-of-check Time-of-use (TOCTOU) Race Condition (CWE-367)
2026-05-08 apache GHSA-jj3r-fj56-xf97
Denial Of Service Apache
6.5
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

2
Analysis Generated
May 08, 2026 - 14:01 vuln.today
CVE Published
May 08, 2026 - 12:19 nvd
MEDIUM 6.5

DescriptionNVD

Due to multiple time-of-check time-of-use race conditions in the resource count check and increment logic, as well as missing validations, users of the platform are able to exceed the allocation limits configured for their accounts/domains. This can be used by an attacker to degrade the infrastructure's resources and lead to denial of service conditions.

Users are recommended to upgrade to Apache CloudStack versions 4.20.3.0 or 4.22.0.1, or later, which fixes this issue.

AnalysisAI

Apache CloudStack fails to properly validate resource allocation limits due to time-of-check time-of-use race conditions and missing validations, allowing authenticated users to exceed configured account and domain resource quotas and trigger denial of service conditions. Authenticated network attackers can exploit this vulnerability without user interaction to exhaust infrastructure resources. Affected versions prior to 4.20.3.0 and 4.22.0.1 require immediate patching.

Technical ContextAI

Apache CloudStack is an open-source Infrastructure-as-a-Service (IaaS) platform that manages virtualized computing resources through multi-tenant account and domain hierarchies. The vulnerability exists in the resource counting and allocation enforcement logic, specifically in functions that check whether a user's resource consumption is within configured limits before incrementing usage counters. CWE-367 (Time-of-check Time-of-use Race Condition) occurs because the check operation and the increment operation are not atomic: between verification that a resource limit has not been exceeded and the actual increment of the counter, a race condition allows multiple concurrent requests to each pass the check independently, then all increment the counter, collectively exceeding the quota. Additionally, missing input validations compound this issue. CloudStack's multi-tenant architecture means that compromised or malicious users within a domain can launch resource exhaustion attacks affecting the shared infrastructure and other tenants' services.

RemediationAI

Upgrade Apache CloudStack to version 4.20.3.0 or later (if on 4.20.x branch) or 4.22.0.1 or later (if on 4.22.x branch) immediately. These patched versions incorporate atomic checks and increments for resource allocation and add missing validations to prevent quota bypass. If immediate patching is not feasible, implement compensating controls: (1) Reduce or disable concurrent API request handling for resource-allocation endpoints by enforcing per-user request serialization at the load balancer or API gateway level - this mitigates the race condition by eliminating concurrency but may reduce platform throughput; (2) Lower configured resource allocation limits to a safety margin below actual infrastructure capacity to provide buffer against quota overages; (3) Restrict API access to trusted administrative users only and revoke API tokens for non-administrative users temporarily - this eliminates attack surface at the cost of reduced multi-tenant functionality; (4) Enable detailed audit logging and alerting on resource allocation API calls to detect quota violations in real-time, allowing reactive mitigation before DoS impact. For patching details and download links, refer to the official Apache CloudStack advisory: https://lists.apache.org/thread/n8mt5b7wkpysstb8w7rr9f02kc5cq2xm.

More from same product – last 7 days

CVE-2025-48977 HIGH
8.5 May 28

Path traversal in Apache Ignite 2.0.0 through 2.17.0 lets authenticated REST API users read arbitrary files on the serve
CVE-2026-42782 HIGH
7.2 May 25

Code execution via Groovy sandbox bypass in Apache Syncope 3.0 through 3.0.16, 4.0 through 4.0.5, and 4.1.0 allows a hig
CVE-2026-43827 MEDIUM
5.9 May 25

Default configurations of Apache Shiro have a session fixation vulnerability. This issue affects Apache Shiro from 1.0

CVE-2026-43828 MEDIUM
5.9 May 25

Default configurations of Apache Shiro send sensitive cookies in HTTPS session without 'Secure' attribute. This issue
CVE-2026-44598 MEDIUM
5.1 May 25

With valid login credentials, URL Redirection to Untrusted Site ('Open Redirect'), Server-Side Request Forgery (SSRF) vu

Share

CVE-2025-69233 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy