CVE-2025-43915

Vulnerability

Description

Linkerd proxies track HTTP request metrics using labels such as authority for inbound requests and hostname for outbound requests. In affected versions, these metrics are exposed without any cardinality limits. An attacker can craft HTTP requests with a large number of unique hostnames, causing the proxy to generate an unbounded number of metric series [1][3]. This results in high memory consumption on the proxy itself and can overwhelm downstream metrics ingestion systems, including third-party platforms [3].

Attack

Vector

The vulnerability can be exploited by any client that can send HTTP requests to a meshed Linkerd proxy. Common attack scenarios include a Linkerd deployment exposed to the internet—for example, through a meshed ingress controller—or a mesh that handles traffic from uncontrolled third-party applications. Additionally, if a Linkerd deployment has egress metrics enabled and meshes arbitrary third-party applications, an attacker can also trigger the exhaustion via outbound requests [3]. No special authentication or network position beyond the ability to send HTTP requests is required.

Impact

A successful exploitation leads to resource exhaustion on the Linkerd proxy, consuming increasing amounts of memory over time. This can degrade or deny service to legitimate traffic. The surge in metric cardinality can also overload Prometheus or other monitoring backends, potentially causing data loss or increased operational costs for third-party metrics ingestion services [3].

Mitigation and

Patches

The issue is fixed in Linkerd edge release edge-25.2.1 and later. For stable and Buoyant Enterprise releases, the fix is included in versions following those listed: users of affected releases should upgrade promptly [3]. As a workaround, operators should ensure that Linkerd proxies are not exposed to HTTP requests with unbounded hostnames—for example, by filtering or rate-limiting incoming requests at the ingress level [3].