x/vulndb: potential Go vuln in github.com/VictoriaMetrics/VictoriaMetrics: GHSA-66jq-2c23-2xh5

Advisory [GHSA-66jq-2c23-2xh5](https://github.com/advisories/GHSA-66jq-2c23-2xh5) references a vulnerability in the following Go modules:

| Module |
| - |
| [github.com/VictoriaMetrics/VictoriaMetrics](https://pkg.go.dev/github.com/VictoriaMetrics/VictoriaMetrics) |

Description:
### Impact
Affected versions are vulnerable to DoS attacks because the snappy decoder ignored VictoriaMetrics request size limits allowing malformed blocks to trigger excessive memory use. This could lead to OOM errors and service instability. The fix enforces block-size checks based on MaxRequest limits.

### Patches
Versions 1.129.1, 1.122.8, 1.110.23

### Resources
 - https://github.com/VictoriaMetrics/VictoriaMetrics/releases/tag/v1.129.1
 - https://github.com/VictoriaMetrics/VictoriaMetrics/releases/tag/v1.122.8
 - https://github.com/VictoriaMetrics/VictoriaMetrics/releases/tag/v1.110.23
...

References:
- ADVISORY: https://github.com/VictoriaMetrics/VictoriaMetrics/security/advisories/GHSA-66jq-2c23-2xh5
- ADVISORY: https://github.com/advisories/GHSA-66jq-2c23-2xh5
- FIX: https://github.com/VictoriaMetrics/VictoriaMetrics/commit/51b44afd34d2c9a392d4ebedeeb5b4a7f5beca24
- WEB: https://github.com/VictoriaMetrics/VictoriaMetrics/releases/tag/v1.110.23
- WEB: https://github.com/VictoriaMetrics/VictoriaMetrics/releases/tag/v1.122.8
- WEB: https://github.com/VictoriaMetrics/VictoriaMetrics/releases/tag/v1.129.1

No existing reports found with this module or alias.
See [doc/quickstart.md](https://github.com/golang/vulndb/blob/master/doc/quickstart.md) for instructions on how to triage this report.

```
id: GO-ID-PENDING
modules:
    - module: github.com/VictoriaMetrics/VictoriaMetrics
      versions:
        - fixed: 1.110.23
        - introduced: 1.111.0
        - fixed: 1.122.8
        - introduced: 1.123.0
        - fixed: 1.129.1
      non_go_versions:
        - introduced: 1.0.0
      vulnerable_at: 1.129.1-cluster
summary: VictoriaMetrics' Snappy Decoder DoS Vulnerability is Causing OOM in github.com/VictoriaMetrics/VictoriaMetrics
cves:
    - CVE-2025-65942
ghsas:
    - GHSA-66jq-2c23-2xh5
references:
    - advisory: https://github.com/VictoriaMetrics/VictoriaMetrics/security/advisories/GHSA-66jq-2c23-2xh5
    - advisory: https://github.com/advisories/GHSA-66jq-2c23-2xh5
    - fix: https://github.com/VictoriaMetrics/VictoriaMetrics/commit/51b44afd34d2c9a392d4ebedeeb5b4a7f5beca24
    - web: https://github.com/VictoriaMetrics/VictoriaMetrics/releases/tag/v1.110.23
    - web: https://github.com/VictoriaMetrics/VictoriaMetrics/releases/tag/v1.122.8
    - web: https://github.com/VictoriaMetrics/VictoriaMetrics/releases/tag/v1.129.1
source:
    id: GHSA-66jq-2c23-2xh5
    created: 2025-11-25T21:01:04.367514186Z
review_status: UNREVIEWED

```

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

x/vulndb: potential Go vuln in github.com/VictoriaMetrics/VictoriaMetrics: GHSA-66jq-2c23-2xh5 #4161

Impact

Patches

Resources

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

x/vulndb: potential Go vuln in github.com/VictoriaMetrics/VictoriaMetrics: GHSA-66jq-2c23-2xh5 #4161

Description

Impact

Patches

Resources

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions