CVE-2025-2240

High

Published: 12 March 2025

Published

12 March 2025

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS Score 0.0034 57.0th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-2240 is a high-severity Improperly Controlled Sequential Memory Allocation (CWE-1325) vulnerability. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application Exhaustion Flood (T1499.003); ranked in the top 43.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SC-6 (Resource Availability).

Threat & Defense at a Glance

What attackers do: exploitation maps to Application Exhaustion Flood (T1499.003). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Flaw remediation through patching the Smallrye fault-tolerance component directly eliminates the unbounded object allocation in meterMap triggered by metrics URI calls.

SC-5 Denial-of-service Protection good match

prevent

Denial-of-service protections such as rate limiting on the metrics URI prevent repeated external calls from causing memory exhaustion.

SC-6 Resource Availability good match

prevent

Resource availability controls enforce quotas and limits on memory usage to mitigate OOM conditions from excessive object creation in meterMap.

MITRE ATT&CK Enterprise TechniquesAI

T1499.003 Application Exhaustion Flood Impact

Adversaries may target resource intensive features of applications to cause a denial of service (DoS), denying availability to those applications.

attack.mitre.org →

Why these techniques?

The vulnerability allows repeated unauthenticated requests to the metrics endpoint to trigger unbounded object allocation in meterMap, directly enabling Application Exhaustion Flood (T1499.003) to cause memory exhaustion and DoS with no other impacts.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

A flaw was found in Smallrye, where smallrye-fault-tolerance is vulnerable to an out-of-memory (OOM) issue. This vulnerability is externally triggered when calling the metrics URI. Every call creates a new object within meterMap and may lead to a denial of…

service (DoS) issue.

Deeper analysisAI

CVE-2025-2240, published on 2025-03-12, is a vulnerability in the Smallrye fault-tolerance component (smallrye-fault-tolerance) that causes an out-of-memory (OOM) condition. The flaw is externally triggered by calling the metrics URI, where each request creates a new object in the meterMap, potentially leading to a denial-of-service (DoS) condition. It carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) and maps to CWE-1325.

Any unauthenticated attacker with network access to the affected metrics endpoint can exploit this vulnerability. Repeated calls to the URI enable unbounded object allocation in the meterMap, resulting in memory exhaustion and disruption of service availability, with no impact on confidentiality or integrity.

Red Hat has issued patches via errata RHSA-2025:3376, RHSA-2025:3541, and RHSA-2025:3543. Further details on the issue and remediation are documented in the Red Hat security advisory for CVE-2025-2240 and Bugzilla entry 2351452.

Details

CWE(s): CWE-1325

CVEs Like This One

CVE-2026-3201Shared CWE-1325

References

https://access.redhat.com/errata/RHSA-2025:3376
secalert@redhat.com
https://access.redhat.com/errata/RHSA-2025:3541
secalert@redhat.com
https://access.redhat.com/errata/RHSA-2025:3543
secalert@redhat.com
https://access.redhat.com/security/cve/CVE-2025-2240
secalert@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=2351452
secalert@redhat.com
https://github.com/advisories/GHSA-gfh6-3pqw-x2j4
secalert@redhat.com