How the CVE Works:
The vulnerability (CVE-2025-XXXX) in Linkerd affects versions before edge-25.2.1 and Enterprise releases 2.16. (before 2.16.5), 2.17. (before 2.17.2), and 2.18. (before 2.18.0). It allows attackers to trigger resource exhaustion by flooding the Linkerd proxy with excessive metrics requests. This overwhelms the proxy’s memory and CPU, leading to denial-of-service (DoS) conditions. The issue stems from improper rate-limiting and unbounded metric collection, enabling malicious actors to degrade service performance or crash the proxy entirely.
DailyCVE Form:
Platform: Linkerd
Version: < edge-25.2.1, 2.16., 2.17., 2.18.
Vulnerability: Resource exhaustion
Severity: Moderate
Date: May 6, 2025
What Undercode Say:
Exploitation:
1. Flood Metrics Endpoint:
while true; do curl http://<target-linkerd>:4191/metrics; done
2. Exploit Script (Python):
import requests
while True:
requests.get("http://<target-linkerd>:4191/metrics")
Mitigation:
1. Update Linkerd:
linkerd upgrade --edge-version=edge-25.2.1
2. Rate-Limit Metrics:
Linkerd config patch proxy: metrics: maxRequestsPerSecond: 100
3. Network Policies:
Kubernetes NetworkPolicy apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: restrict-metrics-access spec: podSelector: matchLabels: linkerd.io/control-plane-component: proxy ingress: - from: - podSelector: matchLabels: authorized: "true" ports: - port: 4191
Detection:
1. Monitor Proxy Logs:
kubectl logs -l linkerd.io/control-plane-component=proxy --tail=50 | grep "metrics overload"
2. Prometheus Alert:
- alert: LinkerdMetricsFlood expr: rate(linkerd_proxy_metrics_requests_total[bash]) > 1000 for: 2m
References:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
