Buoyant Security Advisory 2025-01: Linkerd proxy metrics resource exhaustion (CVE-2025-43915)
Description
Linkerd proxies track and provide metrics for a workload’s inbound and outbound
HTTP requests. Inbound request metrics include an authority
label, and
outbound request metrics include a hostname
label. Linkerd proxies that
receive requests with a large number of unique hostnames may exhibit a
corresponding high cardinality of metrics data. At the extreme, this metric data
may consume a large amount of proxy memory, overwhelm metrics ingestion
infrastructure, or create undesirable costs for third-party metrics ingestors.
Inbound authority
Labels
Edge releases prior to edge-25.2.1, and Buoyant Enterprise for Linkerd releases
2.13.0–2.13.7, 2.14.0–2.14.10, 2.15.0–2.15.7, 2.16.0–2.16.4, and 2.17.0–2.17.1
track and expose Prometheus metrics that include an authority
label for
inbound requests. Users of affected versions should consult the Mitigation and
Action Required sections below.
Outbound hostname
Labels
Edge releases edge-24.10.3 through edge-25.1.2, and Buoyant Enterprise for
Linkerd releases 2.17.0 and 2.17.1, track and expose Prometheus metrics that
include a hostname
label for outbound requests. Users of affected versions
should consult the Mitigation and Action Required sections below.
Who is affected?
Generally speaking, Linkerd proxies that are exposed to HTTP traffic with unconstrained URLs are affected by this CVE. Common examples include:
- Linkerd deployments exposed to the Internet, e.g. through meshed ingress controllers.
- Linkerd deployments that take requests from arbitrary (i.e. uncontrolled) third-party applications.
- Linkerd deployments that mesh arbitrary third-party applications and have egress metrics enabled.
In these cases, malicious URLs can be crafted by attackers to increase proxy memory consumption over time.
Mitigation
Ensure that Linkerd proxies are not exposed to HTTP requests that contain an unbounded number of unique hostnames. For example, meshed workloads that handle Internet-facing traffic may need to have HTTP requests filtered before they hit the Linkerd proxy. Similarly, meshed workloads that make egress calls may need to be audited to ensure the number of unique hostnames is bounded.
Alternatively, update to the versions specified in the Action Required section below, which disable these metric labels by default.
Action Required
If mitigation is not possible and Linkerd proxies cannot be prevented from exposure to an unbounded number of unique hostnames, Linkerd should be updated. Users of edge releases should update to edge-25.2.1 or later. Users of Buoyant Enterprise for Linkerd should update to BEL releases 2.16.5, 2.17.2, 2.18.0, or later releases.
CWE
CWE-770: Allocation of Resources Without Limits or Throttling
CVSS v3.1 Vector
AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L/E:P/RL:O/RC:C
CVSS Temporal Score
5.2
Credits
John Howard