CVE-2025-69255 Overview
CVE-2025-69255 is a Denial of Service (DoS) vulnerability affecting RustFS, a distributed object storage system built in Rust. The vulnerability exists in the gRPC GetMetrics handler, where a malformed request can cause the handler thread to panic due to failed deserialization of metric_type or opts parameters, enabling remote denial of service of the metrics endpoint.
Critical Impact
Remote attackers can crash the RustFS metrics endpoint handler by sending specially crafted gRPC requests, potentially disrupting monitoring capabilities and system observability.
Affected Products
- RustFS versions 1.0.0-alpha.13 through 1.0.0-alpha.77
Discovery Timeline
- 2026-01-07 - CVE-2025-69255 published to NVD
- 2026-01-08 - Last updated in NVD database
Technical Details for CVE-2025-69255
Vulnerability Analysis
This vulnerability stems from improper exception handling in the RustFS gRPC get_metrics function. When the handler receives a malformed GetMetrics request, it attempts to deserialize the metric_type and opts parameters using Rust's unwrap() method. If deserialization fails due to malformed input, the unwrap() call triggers a panic, causing the handler thread to crash. This is classified under CWE-755 (Improper Handling of Exceptional Conditions).
The attack is network-accessible, requires no authentication, and has low attack complexity. While the vulnerability does not compromise data confidentiality or integrity, it directly impacts service availability by allowing remote attackers to crash the metrics endpoint.
Root Cause
The root cause is the use of unwrap() on potentially fallible deserialization operations without proper error handling. In Rust, calling unwrap() on a Result or Option type that contains an error or None value causes the thread to panic and terminate. The get_metrics handler failed to implement graceful error handling for cases where metric_type or opts contained invalid or unexpected values.
Attack Vector
An attacker can exploit this vulnerability by sending a malformed gRPC GetMetrics request to a vulnerable RustFS instance. The attack vector is network-based and requires:
- Network access to the RustFS gRPC endpoint
- Ability to craft a malicious gRPC request with invalid metric_type or opts fields
- No authentication or special privileges are required
When the malformed request is processed, the deserialization failure causes the handler thread to panic, resulting in denial of service of the metrics endpoint.
// Security patch in Cargo.toml - fix: Prevent panic in GetMetrics gRPC handler on invalid input (#1291)
"crates/audit", # Audit target management system with multi-target fan-out
"crates/common", # Shared utilities and data structures
"crates/config", # Configuration management
+ "crates/credentials", # Credential management system
"crates/crypto", # Cryptography and security features
"crates/ecstore", # Erasure coding storage implementation
"crates/e2e_test", # End-to-end test suite
Source: GitHub Commit
Detection Methods for CVE-2025-69255
Indicators of Compromise
- Unexpected crashes or restarts of RustFS handler threads
- Log entries indicating panic conditions in the get_metrics function
- Sudden unavailability of the metrics endpoint while other services remain operational
- Unusual patterns of gRPC requests targeting the GetMetrics endpoint
Detection Strategies
- Monitor RustFS logs for panic messages related to deserialization failures in get_metrics
- Implement alerting for metrics endpoint availability degradation
- Track gRPC request patterns for anomalous GetMetrics calls with malformed parameters
- Deploy network intrusion detection rules to identify malformed gRPC traffic
Monitoring Recommendations
- Set up health checks specifically for the RustFS metrics endpoint
- Configure log aggregation to capture and alert on Rust panic stack traces
- Monitor thread count and handler availability metrics for unexpected drops
- Implement synthetic monitoring to periodically verify metrics endpoint responsiveness
How to Mitigate CVE-2025-69255
Immediate Actions Required
- Upgrade RustFS to version 1.0.0-alpha.78 or later immediately
- If upgrade is not immediately possible, consider restricting network access to the gRPC metrics endpoint
- Review firewall rules to limit access to the metrics endpoint from trusted sources only
- Monitor for exploitation attempts while preparing to deploy the patch
Patch Information
This vulnerability has been fixed in RustFS version 1.0.0-alpha.78. The patch implements proper error handling for the deserialization of metric_type and opts parameters in the GetMetrics gRPC handler, preventing panics from malformed input.
For detailed information about the fix, refer to the GitHub Security Advisory and the patch commit.
Workarounds
- Restrict network access to the gRPC metrics endpoint using firewall rules or network segmentation
- Deploy a reverse proxy with input validation in front of the RustFS gRPC endpoint
- Implement rate limiting on the metrics endpoint to reduce the impact of potential DoS attempts
- Consider temporarily disabling the metrics endpoint if it is not critical for operations until the patch can be applied
# Example: Restrict access to RustFS metrics endpoint using iptables
# Replace 9000 with your actual gRPC metrics port
# Replace 10.0.0.0/8 with your trusted monitoring network
# Allow metrics endpoint access only from trusted monitoring network
iptables -A INPUT -p tcp --dport 9000 -s 10.0.0.0/8 -j ACCEPT
iptables -A INPUT -p tcp --dport 9000 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
