Wiz
Vulnerability DatabaseCVE-2025-43915

CVE-2025-43915
vulnerability analysis and mitigation

Overview

CVE-2025-43915 affects Linkerd proxy metrics in Buoyant Edge and Enterprise releases. The vulnerability was disclosed on May 5, 2025, and impacts Linkerd edge releases before edge-25.2.1, and Buoyant Enterprise for Linkerd releases 2.13.0–2.13.7, 2.14.0–2.14.10, 2.15.0–2.15.7, 2.16.0–2.16.4, and 2.17.0–2.17.1. The issue involves resource exhaustion that can occur for Linkerd proxy metrics (Wiz Report, NVD).

Technical details

The vulnerability occurs when Linkerd proxies track and provide metrics for workload's inbound and outbound HTTP requests. Inbound request metrics include an authority label, and outbound request metrics include a hostname label. When proxies receive requests with a large number of unique hostnames, they may exhibit high cardinality of metrics data, potentially consuming excessive proxy memory and overwhelming metrics ingestion infrastructure. The vulnerability has been assigned a CVSS v3.1 Temporal Score of 5.2 with vector AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L/E:P/RL:O/RC:C and is categorized under CWE-770: Allocation of Resources Without Limits or Throttling (Buoyant Advisory).

Impact

The vulnerability can lead to increased proxy memory consumption over time, potentially overwhelming metrics ingestion infrastructure and creating undesirable costs for third-party metrics ingestors. This particularly affects Linkerd deployments exposed to the Internet through meshed ingress controllers, deployments taking requests from arbitrary third-party applications, and deployments that mesh arbitrary third-party applications with egress metrics enabled (Buoyant Advisory).

Mitigation and workarounds

Users should ensure Linkerd proxies are not exposed to HTTP requests containing an unbounded number of unique hostnames. For Internet-facing workloads, HTTP requests should be filtered before reaching the Linkerd proxy. Users should update to edge-25.2.1 or later for edge releases, or to BEL releases 2.16.5, 2.17.2, 2.18.0, or later releases for Buoyant Enterprise for Linkerd. The updated versions disable these metric labels by default (Buoyant Advisory).

Additional resources

SourceThis report was generated using AI

Free Vulnerability Assessment

Benchmark your Cloud Security Posture

Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.

Request assessment

Additional Wiz resources

Cloud Vulnerability DB

Cloud Vulnerability DB

An open project to list all known cloud vulnerabilities and Cloud Service Provider security issues

Cloud threat landscape

Cloud threat landscape

A comprehensive threat intelligence database of cloud security incidents, actors, tools and techniques

PEACH

PEACH

A step-by-step framework for modeling and improving SaaS and PaaS tenant isolation

Get a personalized demo

Ready to see Wiz in action?

“Best User Experience I have ever seen, provides full visibility to cloud workloads.”
David EstlickCISO
“Wiz provides a single pane of glass to see what is going on in our cloud environments.”
Adam FletcherChief Security Officer
“We know that if Wiz identifies something as critical, it actually is.”
Greg PoniatowskiHead of Threat and Vulnerability Management
Get a demo