CVE-2025-69255

MEDIUM
2026-01-07 [email protected] GHSA-gw2x-q739-qhcr
4.0
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
Low

Lifecycle Timeline

4
Analysis Generated
Mar 12, 2026 - 21:54 vuln.today
PoC Detected
Jan 16, 2026 - 19:28 vuln.today
Public exploit code
Patch Released
Jan 16, 2026 - 19:28 nvd
Patch available
CVE Published
Jan 07, 2026 - 21:16 nvd
MEDIUM 4.0

Tags

Industrial Denial Of Service Deserialization Rustfs

Description

RustFS is a distributed object storage system built in Rust. In versions 1.0.0-alpha.13 to 1.0.0-alpha.77, a malformed gRPC GetMetrics request causes get_metrics to unwrap() failed deserialization of metric_type/opts, panicking the handler thread and enabling remote denial of service of the metrics endpoint. This issue has been patched in version 1.0.0-alpha.78.

Analysis

RustFS is a distributed object storage system built in Rust. [CVSS 4.0 MEDIUM]

Technical Context

Classified as CWE-755 (Improper Handling of Exceptional Conditions). Affects Rustfs. RustFS is a distributed object storage system built in Rust. In versions 1.0.0-alpha.13 to 1.0.0-alpha.77, a malformed gRPC GetMetrics request causes get_metrics to unwrap() failed deserialization of metric_type/opts, panicking the handler thread and enabling remote denial of service of the metrics endpoint. This issue has been patched in version 1.0.0-alpha.78.

Affected Products

Vendor: Rustfs. Product: Rustfs. Versions: up to 1.0.0.

Remediation

A vendor patch is available — apply it immediately. Fixed in version 1.0.0.

Priority Score

40
Low Medium High Critical
KEV: 0
EPSS: +0.4
CVSS: +20
POC: +20

Share

CVE-2025-69255 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy