VictoriaMetrics Snappy Decoder Denial-of-Service Vulnerability

A denial-of-service vulnerability has been identified in VictoriaMetrics, affecting versions 1.0.0 prior to 1.110.23, 1.111.0 prior to 1.122.8, and 1.123.0 prior to 1.129.1. The issue arises because the Snappy decoder did not respect VictoriaMetrics' request size limits, allowing malformed blocks to cause excessive memory usage. This could lead to out-of-memory errors and service instability. The vulnerability has been patched in versions 1.110.23, 1.122.8, and 1.129.1.

Impact

Exploitation of this vulnerability can cause out-of-memory errors, leading to service instability.

Reproduction

The vulnerability can be reproduced by sending Snappy-encoded requests that include malformed blocks, which can bypass the application's size limits and cause excessive memory consumption. This can be done using tools or scripts that create such Snappy blocks, taking advantage of the lack of proper size checks in the affected versions.

Remediation

Users can upgrade to VictoriaMetrics versions 1.110.23, 1.122.8, or 1.129.1 to address this vulnerability.