CVE-2025-55181

Summary

Sending an HTTP request/response body with greater than 2^31 bytes triggers an infinite loop in proxygen::coro::HTTPQuicCoroSession which blocks the backing event loop and unconditionally appends data to a std::vector per-loop iteration. This issue leads to unbounded memory growth and eventually causes the process to run out of memory.

Affected Software

VendorProductVersion RangeStatus
Facebookproxygenv2025.08.25.00 <= v2025.12.01.00affected

Weaknesses

  • Excessive Iteration (CWE-834)

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: partial

References