CVE-2025-27421
Published: 03 March 2025
Summary
CVE-2025-27421 is a high-severity Uncontrolled Resource Consumption (CWE-400) vulnerability. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application Exhaustion Flood (T1499.003); ranked at the 41.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SC-6 (Resource Availability).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires timely flaw remediation, directly addressing the goroutine leak by mandating patching to Abacus 1.4.0 which fixes improper channel cleanup.
Implements denial-of-service protections such as rate limiting or connection throttling to prevent resource exhaustion from repeated SSE connect/disconnect attacks.
Protects resource availability by limiting allocations per connection, process, or interface, mitigating indefinite goroutine blocking and memory saturation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The CVE describes an unauthenticated network-accessible resource exhaustion vulnerability (goroutine leak) in the Abacus SSE /stream endpoint that attackers can trigger via repeated connect/disconnect requests to exhaust memory and block new connections, directly enabling an Application Exhaustion Flood for denial of service.
NVD Description
Abacus is a highly scalable and stateless counting API. A critical goroutine leak vulnerability has been identified in the Abacus server's Server-Sent Events (SSE) implementation. The issue occurs when clients disconnect from the /stream endpoint, as the server fails to…
more
properly clean up resources and terminate associated goroutines. This leads to resource exhaustion where the server continues running but eventually stops accepting new SSE connections while maintaining high memory usage. The vulnerability specifically involves improper channel cleanup in the event handling mechanism, causing goroutines to remain blocked indefinitely. This vulnerability is fixed in 1.4.0.
Deeper analysisAI
CVE-2025-27421 is a critical goroutine leak vulnerability in the Server-Sent Events (SSE) implementation of the Abacus server, a highly scalable and stateless counting API. The flaw occurs when clients disconnect from the /stream endpoint, as the server fails to properly clean up resources and terminate associated goroutines due to improper channel cleanup in the event handling mechanism. This causes goroutines to remain blocked indefinitely, resulting in resource exhaustion characterized by high memory usage and the server eventually stopping acceptance of new SSE connections while continuing to run. The vulnerability affects Abacus versions prior to 1.4.0 and is mapped to CWE-400 (Uncontrolled Resource Consumption) and CWE-772 (Missing Release of Resource after Effective Lifetime), with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
Unauthenticated attackers with network access can exploit this vulnerability with low complexity and no user interaction. By repeatedly connecting to and then disconnecting from the /stream SSE endpoint, an attacker triggers the goroutine leak, progressively exhausting server resources. This achieves a denial-of-service condition, rendering the SSE functionality unavailable due to memory saturation and connection refusal, while the server process persists.
The vulnerability is addressed in Abacus version 1.4.0. Mitigation requires upgrading to this patched release. Additional details are available in the fix commit at https://github.com/JasonLovesDoggo/abacus/commit/898ff1204e11317cc161240b660e63eed5a72b33 and the GitHub security advisory at https://github.com/JasonLovesDoggo/abacus/security/advisories/GHSA-vh64-54px-qgf8.
Details
- CWE(s)