Skip to main content

Proxygen EUVDEUVD-2025-200372

| CVE-2025-55181 MEDIUM
Excessive Iteration (CWE-834)
2025-12-02 cve-assign@fb.com
5.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
Low

Lifecycle Timeline

4
EUVD ID Assigned
Mar 15, 2026 - 14:04 euvd
EUVD-2025-200372
Analysis Generated
Mar 15, 2026 - 14:04 vuln.today
Patch released
Mar 15, 2026 - 14:04 nvd
Patch available
CVE Published
Dec 02, 2025 - 22:16 nvd
MEDIUM 5.3

DescriptionCVE.org

Sending an HTTP request/response body with greater than 2^31 bytes triggers an infinite loop in proxygen::coro::HTTPQuicCoroSession which blocks the backing event loop and unconditionally appends data to a std::vector per-loop iteration. This issue leads to unbounded memory growth and eventually causes the process to run out of memory.

AnalysisAI

CVE-2025-55181 is a security vulnerability (CVSS 5.3). Remediation should follow standard vulnerability management procedures. Vendor patch is available.

Technical ContextAI

Vulnerability type not specified by vendor.

RemediationAI

Apply the vendor-supplied patch immediately.

CVE-2015-7264 CRITICAL
9.8 Apr 10

The SPDY/2 codec in Facebook Proxygen before 2015-11-09 truncates a certain field to two bytes, which allows hijacking a

CVE-2020-1897 CRITICAL
9.8 May 18

A use-after-free is possible due to an error in lifetime management in the request adaptor when a malicious client invok

CVE-2019-11940 CRITICAL
9.8 Dec 04

In the course of decompressing HPACK inside the HTTP2 protocol, an unexpected sequence of header table resize operations

CVE-2019-11921 CRITICAL
9.8 Jul 25

An out of bounds write is possible via a specially crafted packet in certain configurations of Proxygen due to improper

CVE-2015-7265 HIGH
7.5 Apr 10

Facebook Proxygen before 2015-11-09 mismanages HTTPMessage.request state, which allows remote attackers to conduct hijac

CVE-2015-7263 HIGH
7.5 Apr 10

The SPDY/2 codec in Facebook Proxygen before 2015-11-09 allows remote attackers to conduct hijacking attacks and bypass

CVE-2021-24029 HIGH
7.5 Mar 15

A packet of death scenario is possible in mvfst via a specially crafted message during a QUIC session, which causes a cr

CVE-2018-6347 HIGH
7.5 Dec 31

An issue in the Proxygen handling of HTTP2 parsing of headers/trailers can lead to a denial-of-service attack. Rated hig

CVE-2018-6346 HIGH
7.5 Dec 31

A potential denial-of-service issue in the Proxygen handling of invalid HTTP2 priority settings (specifically a circular

CVE-2018-6343 HIGH
7.5 Dec 31

Proxygen fails to validate that a secondary auth manager is set before dereferencing it. Rated high severity (CVSS 7.5),

Share

EUVD-2025-200372 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy