GHSA-66jq-2c23-2xh5

Affected versions are vulnerable to DoS attacks because the snappy decoder ignored VictoriaMetrics request size limits allowing malformed blocks to trigger excessive memory use. This could lead to OOM errors and service instability. The fix enforces block-size checks based on MaxRequest limits.

Patches

Versions 1.129.1, 1.122.8, 1.110.23

Resources

https://github.com/VictoriaMetrics/VictoriaMetrics/releases/tag/v1.129.1
https://github.com/VictoriaMetrics/VictoriaMetrics/releases/tag/v1.122.8
https://github.com/VictoriaMetrics/VictoriaMetrics/releases/tag/v1.110.23

Note

VictoriaMetrics' security model assumes its APIs are properly secured (e.g. via access control flags or a firewall); this advisory addresses malicious input that should not be possible under a correctly secured deployment.

Database specific

{
    "nvd_published_at": "2025-11-25T23:15:47Z",
    "github_reviewed": true,
    "github_reviewed_at": "2025-11-25T20:40:13Z",
    "severity": "LOW",
    "cwe_ids": [
        "CWE-770"
    ]
}

References

Affected packages

Go

github.com/VictoriaMetrics/VictoriaMetrics

Package

Name: github.com/VictoriaMetrics/VictoriaMetrics; View open source insights on deps.dev
Purl: pkg:golang/github.com/VictoriaMetrics/VictoriaMetrics

Affected ranges

Type: SEMVER
Events: Introduced

1.123.0

Fixed

1.129.1

github.com/VictoriaMetrics/VictoriaMetrics

Package

Name: github.com/VictoriaMetrics/VictoriaMetrics; View open source insights on deps.dev
Purl: pkg:golang/github.com/VictoriaMetrics/VictoriaMetrics

Affected ranges

Type: SEMVER
Events: Introduced

1.111.0

Fixed

1.122.8

github.com/VictoriaMetrics/VictoriaMetrics

Package

Name: github.com/VictoriaMetrics/VictoriaMetrics; View open source insights on deps.dev
Purl: pkg:golang/github.com/VictoriaMetrics/VictoriaMetrics

Affected ranges

Type: SEMVER
Events: Introduced

1.0.0

Fixed

1.110.23