Security
Headlines
HeadlinesLatestCVEs

Headline

GHSA-gw2x-q739-qhcr: RustFS gRPC GetMetrics deserialization panic enables remote DoS

Summary

A malformed gRPC GetMetrics request causes get_metrics to unwrap() failed deserialization of metric_type/opts, panicking the handler thread and enabling remote denial of service of the metrics endpoint.

Details

  • Vulnerable code: rustfs/src/storage/tonic_service.rs:1775-1782:
    • MetricType and CollectMetricsOpts are deserialized with Deserialize::deserialize(...).unwrap() from client-supplied bytes.
    • Malformed metric_type/opts (e.g., empty or truncated rmp-serde payloads) trigger InvalidMarkerRead and panic.
  • Reachability: same TCP listener as S3 (default :9000); only a static interceptor token authorization: rustfs rpc is checked in server/http.rs:677.
  • Impact scope: panic terminates the worker handling the request, causing metrics service interruption and potential process instability.

PoC

rustfs-grpc-metrics-invalid-metric-type-panic-poc.tar.gz

  1. Start RustFS (example local dev):
mkdir -p /tmp/rustfs-data1 /tmp/rustfs-data2
RUSTFS_ACCESS_KEY=devadmin RUSTFS_SECRET_KEY=devadmin \
  cargo run --bin rustfs -- --address 0.0.0.0:9000 \
  /tmp/rustfs-data1 /tmp/rustfs-data2
  1. From rustfs-grpc-metrics-invalid-metric-type-panic-poc/, run:
ENDPOINT=127.0.0.1:9000 make run
# or: grpcurl -plaintext \
#   -H 'authorization: rustfs rpc' \
#   -import-path ../crates/protos/src -proto node.proto \
#   -d '{"metric_type":"","opts":""}' \
#   127.0.0.1:9000 node_service.NodeService/GetMetrics
  1. Observe panic in server logs at tonic_service.rs:get_metrics with InvalidMarkerRead and worker crash; client output saved to poc-response.txt/poc-grpcurl.log.

Impact

  • Vulnerability type: remote unauthenticated (static token) denial of service via panic in gRPC handler.
  • Who is impacted: any deployment exposing the gRPC endpoint where an attacker can reach port 9000 and supply the known authorization: rustfs rpc header; metrics service is disrupted and may affect overall stability depending on runtime crash handling.
ghsa
Open in Source
#vulnerability#dos#git#auth
  1. GitHub Advisory Database
  2. GitHub Reviewed
  3. CVE-2025-69255

RustFS gRPC GetMetrics deserialization panic enables remote DoS

Moderate severity GitHub Reviewed Published Jan 7, 2026 in rustfs/rustfs • Updated Jan 7, 2026

Package

cargo rustfs (Rust)

Affected versions

>= 1.0.0-alpha.13, <= 1.0.0-alpha.77

Patched versions

1.0.0-alpha.78

Summary

A malformed gRPC GetMetrics request causes get_metrics to unwrap() failed deserialization of metric_type/opts, panicking the handler thread and enabling remote denial of service of the metrics endpoint.

Details

  • Vulnerable code: rustfs/src/storage/tonic_service.rs:1775-1782:
    • MetricType and CollectMetricsOpts are deserialized with Deserialize::deserialize(…).unwrap() from client-supplied bytes.
    • Malformed metric_type/opts (e.g., empty or truncated rmp-serde payloads) trigger InvalidMarkerRead and panic.
  • Reachability: same TCP listener as S3 (default :9000); only a static interceptor token authorization: rustfs rpc is checked in server/http.rs:677.
  • Impact scope: panic terminates the worker handling the request, causing metrics service interruption and potential process instability.

PoC

rustfs-grpc-metrics-invalid-metric-type-panic-poc.tar.gz

  1. Start RustFS (example local dev):

mkdir -p /tmp/rustfs-data1 /tmp/rustfs-data2 RUSTFS_ACCESS_KEY=devadmin RUSTFS_SECRET_KEY=devadmin \ cargo run --bin rustfs – --address 0.0.0.0:9000 \ /tmp/rustfs-data1 /tmp/rustfs-data2

  1. From rustfs-grpc-metrics-invalid-metric-type-panic-poc/, run:

ENDPOINT=127.0.0.1:9000 make run

or: grpcurl -plaintext \

-H ‘authorization: rustfs rpc’ \

-import-path …/crates/protos/src -proto node.proto \

-d ‘{"metric_type":"","opts":""}’ \

127.0.0.1:9000 node_service.NodeService/GetMetrics

  1. Observe panic in server logs at tonic_service.rs:get_metrics with InvalidMarkerRead and worker crash; client output saved to poc-response.txt/poc-grpcurl.log.

Impact

  • Vulnerability type: remote unauthenticated (static token) denial of service via panic in gRPC handler.
  • Who is impacted: any deployment exposing the gRPC endpoint where an attacker can reach port 9000 and supply the known authorization: rustfs rpc header; metrics service is disrupted and may affect overall stability depending on runtime crash handling.

References

  • GHSA-gw2x-q739-qhcr
  • rustfs/rustfs@eb33e82

Published to the GitHub Advisory Database

Jan 7, 2026

ghsa: Latest News

GHSA-fg6f-75jq-6523: Authlib has 1-click Account Takeover vulnerability
ghsa