CVE-2025-69233

Due to multiple time-of-check time-of-use race conditions in the resource count check and increment logic, as well as missing validations, users of the platform are able to exceed the allocation limits configured for their accounts/domains. This can be used by an attacker to degrade the infrastructure's resources and lead to denial of service conditions. Users are recommended to upgrade to Apache CloudStack versions 4.20.3.0 or 4.22.0.1, or later, which fixes this issue.

CVSS v3 6.5 MEDIUM

6.5^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://lists.apache.org/thread/n8mt5b7wkpysstb8w7rr9f02kc5cq2xm	Mailing List Vendor Advisory
http://www.openwall.com/lists/oss-security/2026/05/09/5

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:apache:cloudstack::::::::
	cpe:2.3:a:apache:cloudstack::::::::

History

09 May 2026, 07:16

Type	Values Removed	Values Added
References		() http://www.openwall.com/lists/oss-security/2026/05/09/5 -

08 May 2026, 19:50

Type	Values Removed	Values Added
First Time		Apache Apache cloudstack
CPE		cpe:2.3:a:apache:cloudstack::::::::
References	~~() https://lists.apache.org/thread/n8mt5b7wkpysstb8w7rr9f02kc5cq2xm -~~	() https://lists.apache.org/thread/n8mt5b7wkpysstb8w7rr9f02kc5cq2xm - Mailing List, Vendor Advisory

08 May 2026, 13:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-05-08 13:16

Updated : 2026-05-09 07:16

NVD link : CVE-2025-69233

Mitre link : CVE-2025-69233

CVE.ORG link : CVE-2025-69233

JSON object : View

Products Affected

apache

cloudstack

CWE

CWE-367

Time-of-check Time-of-use (TOCTOU) Race Condition

CWE-770

Allocation of Resources Without Limits or Throttling

{"id": "CVE-2025-69233", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security@apache.org", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 2.8}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 1.6}]}, "published": "2026-05-08T13:16:35.993", "references": [{"url": "https://lists.apache.org/thread/n8mt5b7wkpysstb8w7rr9f02kc5cq2xm", "tags": ["Mailing List", "Vendor Advisory"], "source": "security@apache.org"}, {"url": "http://www.openwall.com/lists/oss-security/2026/05/09/5", "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "security@apache.org", "description": [{"lang": "en", "value": "CWE-367"}, {"lang": "en", "value": "CWE-770"}]}], "descriptions": [{"lang": "en", "value": "Due to multiple time-of-check time-of-use race conditions in the resource count check and increment logic, as well as missing validations, users of the platform are able to exceed the allocation limits configured for their accounts/domains. This can be used by an attacker to degrade the infrastructure's resources and lead to denial of service conditions.\n\nUsers are recommended to upgrade to Apache CloudStack versions 4.20.3.0 or 4.22.0.1, or later, which fixes this issue."}], "lastModified": "2026-05-09T07:16:08.847", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:apache:cloudstack:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B0820043-939A-4549-AE30-03196C079366", "versionEndExcluding": "4.20.3.0", "versionStartIncluding": "4.0.0"}, {"criteria": "cpe:2.3:a:apache:cloudstack:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "78690ED1-C4B3-4DC9-9B53-FB31D6D17125", "versionEndExcluding": "4.22.0.1", "versionStartIncluding": "4.21.0.0"}], "operator": "OR"}]}], "sourceIdentifier": "security@apache.org"}