Vulnerability Details CVE-2025-55181
Sending an HTTP request/response body with greater than 2^31 bytes triggers an infinite loop in proxygen::coro::HTTPQuicCoroSession which blocks the backing event loop and unconditionally appends data to a std::vector per-loop iteration. This issue leads to unbounded memory growth and eventually causes the process to run out of memory.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.001
EPSS Ranking 16.2%
CVSS Severity
CVSS v3 Score 5.3
References
Products affected by CVE-2025-55181
-
cpe:2.3:a:facebook:proxygen:2025.08.25.00
-
cpe:2.3:a:facebook:proxygen:2025.09.01.00
-
cpe:2.3:a:facebook:proxygen:2025.09.08.00
-
cpe:2.3:a:facebook:proxygen:2025.09.15.00
-
cpe:2.3:a:facebook:proxygen:2025.09.22.00
-
cpe:2.3:a:facebook:proxygen:2025.09.29.00
-
cpe:2.3:a:facebook:proxygen:2025.10.06.00
-
cpe:2.3:a:facebook:proxygen:2025.10.13.00
-
cpe:2.3:a:facebook:proxygen:2025.10.20.00
-
cpe:2.3:a:facebook:proxygen:2025.10.27.00
-
cpe:2.3:a:facebook:proxygen:2025.11.03.00
-
cpe:2.3:a:facebook:proxygen:2025.11.10.00
-
cpe:2.3:a:facebook:proxygen:2025.11.17.00
-
cpe:2.3:a:facebook:proxygen:2025.11.24.00
-
cpe:2.3:a:facebook:proxygen:2025.12.01.00