CVE-2025-65947 Overview
CVE-2025-65947 affects thread-amount, a small utility library that returns the number of threads in the current process. Versions prior to 0.2.2 contain resource leaks on Windows and Apple platforms. On Windows, the library leaks kernel handles from CreateToolhelp32Snapshot. On Apple platforms, it leaks memory allocated by the Mach task_threads API. Repeated invocations exhaust system resources, leading to process termination or system instability. The maintainer released a fix in version 0.2.2. The weakness is classified as Uncontrolled Resource Consumption [CWE-400].
Critical Impact
Long-running processes that invoke thread_amount in a loop will exhaust handles on Windows or be killed by the Out-of-Memory (OOM) killer on macOS, causing denial of service.
Affected Products
- thread-amount versions prior to 0.2.2 on Windows platforms
- thread-amount versions prior to 0.2.2 on Apple (macOS) platforms
- Downstream applications and services that embed vulnerable versions of thread-amount
Discovery Timeline
- 2025-11-21 - CVE-2025-65947 published to NVD
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2025-65947
Vulnerability Analysis
The thread-amount library exposes a thread_amount function that returns the count of threads in the current process. On both Windows and Apple platforms, the implementation acquires platform-specific resources to enumerate threads but never releases them. Each invocation accumulates state inside the process. Over time, the leaked resources push the process past operating system limits.
On Windows, every call increases the process handle count. Once the per-process handle limit is reached, subsequent Win32 calls fail and the process becomes unstable or terminates. On macOS, every call grows the resident memory footprint. The kernel eventually invokes the OOM killer, terminating the process. The weakness maps to Uncontrolled Resource Consumption [CWE-400].
Root Cause
On Windows, thread_amount calls CreateToolhelp32Snapshot to obtain a snapshot of running threads but never invokes CloseHandle on the returned HANDLE. The kernel object remains referenced for the lifetime of the process.
On Apple platforms, thread_amount calls the Mach kernel API task_threads, which allocates a thread port array in the caller's virtual address space. The function never calls vm_deallocate to release that allocation. Memory grows linearly with the number of calls.
Attack Vector
Exploitation does not require authentication or user interaction. Any code path that triggers repeated execution of thread_amount will trigger the leak. In server applications, network-reachable endpoints that call the function during request handling allow remote attackers to force resource exhaustion by issuing high-volume requests. The result is a denial-of-service condition against availability without affecting confidentiality or integrity.
See the GitHub Security Advisory GHSA-jf9p-2fv9-2jp2 for the maintainer's technical write-up.
Detection Methods for CVE-2025-65947
Indicators of Compromise
- Monotonically increasing handle count for a Windows process linked against thread-amount versions below 0.2.2, observable via Task Manager, Process Explorer, or Get-Process | Select-Object Handles.
- Steadily growing resident set size (RSS) on macOS processes using thread-amount, visible via top, vmmap, or ps -o rss.
- Process crashes accompanied by ERROR_NO_SYSTEM_RESOURCES on Windows or Jetsam/OOM kill log entries on macOS.
Detection Strategies
- Inventory build manifests (Cargo.toml, Cargo.lock) for direct or transitive dependencies on thread-amount below version 0.2.2.
- Add performance counters or telemetry for process handle counts and memory growth in long-running services that consume the library.
- Correlate availability incidents with deployment timelines to identify regressions tied to vulnerable releases.
Monitoring Recommendations
- Configure alerts when a process handle count exceeds a baseline threshold or grows linearly over time.
- Monitor macOS endpoints for repeated OOM terminations of the same binary.
- Track software composition analysis (SCA) findings to flag any reintroduction of pre-0.2.2 releases.
How to Mitigate CVE-2025-65947
Immediate Actions Required
- Upgrade thread-amount to version 0.2.2 or later in all dependent projects.
- Rebuild and redeploy downstream binaries that statically link the library.
- Restart long-running processes that have already accumulated leaked handles or memory.
Patch Information
The maintainer released the fix in version 0.2.2. The patch closes the Windows HANDLE returned by CreateToolhelp32Snapshot with CloseHandle and releases the Mach thread list with vm_deallocate after task_threads. Review the upstream changes in the GitHub Commit Update and the GitHub Pull Request.
Workarounds
- Cache the thread count in application code and avoid calling thread_amount on hot paths until the patched version is deployed.
- Replace the dependency with a direct, properly-closing call to CreateToolhelp32Snapshot/CloseHandle on Windows or task_threads/vm_deallocate on macOS.
- Periodically recycle worker processes to bound resource consumption while patching is in progress.
# Update the dependency in a Rust project
cargo update -p thread-amount --precise 0.2.2
cargo build --release
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
