CVE-2025-69233 PUBLISHED

Apache CloudStack: Domain/account resources limits not honored

Assigner: apache
Reserved: 29.12.2025 Published: 08.05.2026 Updated: 09.05.2026

Due to multiple time-of-check time-of-use race conditions in the resource count check and increment logic, as well as missing validations, users of the platform are able to exceed the allocation limits configured for their accounts/domains. This can be used by an attacker to degrade the infrastructure's resources and lead to denial of service conditions.

Users are recommended to upgrade to Apache CloudStack versions 4.20.3.0 or 4.22.0.1, or later, which fixes this issue.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
CVSS Score: 6.5

Attack Vector	Network	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	None
Privileges Required	Low	Integrity Impact	None
User Interaction	None	Availability Impact	High

CVSS 3.1

Product Status

Vendor	Apache Software Foundation
Product	Apache CloudStack
Versions	Default: unaffected affected from 4.0.0 to 4.20.2.0 (incl.) affected from 4.21.0.0 to 4.22.0.0 (incl.)

Credits

Fernando Oliveira <ferolicar82@gmail.com> reporter
Gustavo Viana <viana.gust@gmail.com> reporter

References

https://lists.apache.org/thread/n8mt5b7wkpysstb8w7rr9f02kc5cq2xm

Problem Types

CWE-367 Time-of-check Time-of-use (TOCTOU) Race Condition CWE
CWE-770 Allocation of Resources Without Limits or Throttling CWE