CVE-2025-43915 is a vulnerability affecting certain versions of Linkerd edge releases prior to edge-25.2.1 and Buoyant Enterprise for Linkerd versions 2.13.0 through 2.13.7, 2.14.0 through 2.14.10, 2.15.0 through 2.15.7, 2.16.0 through 2.16.4, and 2.17.0 through 2.17.1. The issue is classified as a resource exhaustion vulnerability (CWE-400) that occurs specifically in the Linkerd proxy metrics subsystem. Linkerd is a popular open-source service mesh designed to provide observability, reliability, and security for cloud-native applications, particularly in Kubernetes environments. The vulnerability allows an unauthenticated remote attacker to cause resource exhaustion by exploiting the way Linkerd handles proxy metrics, potentially leading to denial of service (DoS) conditions. According to the CVSS v3.1 vector (AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H), the attack can be launched remotely over the network without privileges or user interaction but requires high attack complexity. The impact primarily affects availability, with limited integrity impact and no confidentiality loss. No known exploits are currently reported in the wild, and no official patches are linked yet, though the fixed version is edge-25.2.1 or later. The vulnerability could be triggered by sending crafted requests or metrics queries that overwhelm the proxy's resource handling capabilities, causing it to degrade or crash, impacting the service mesh's ability to route and manage traffic effectively. This can disrupt microservices communication and degrade application performance or availability in environments relying on Linkerd for service mesh functionality.

For European organizations, especially those adopting cloud-native architectures and Kubernetes clusters with Linkerd as their service mesh, this vulnerability poses a significant risk to service availability. Disruption of the Linkerd proxy can lead to partial or complete denial of service for microservices, affecting critical business applications and services. This is particularly impactful for industries with high availability requirements such as finance, healthcare, telecommunications, and public sector services. The resource exhaustion could cause cascading failures in distributed systems, complicating incident response and recovery. Additionally, the lack of confidentiality impact means data leaks are unlikely, but the integrity impact, while low, could still affect monitoring data accuracy, potentially hindering incident detection and response. The medium CVSS score reflects the balance between the difficulty of exploitation and the severity of impact. Organizations relying on Linkerd for observability and traffic management should consider this vulnerability a priority to address to maintain operational continuity.

1. Upgrade to Linkerd edge release 25.2.1 or later, or Buoyant Enterprise for Linkerd versions beyond those affected, as soon as official patches become available. 2. Implement strict network-level access controls to limit exposure of Linkerd proxy metrics endpoints to trusted internal networks only, reducing the attack surface. 3. Monitor resource usage of Linkerd proxies closely using existing observability tools to detect unusual spikes indicative of exploitation attempts. 4. Employ rate limiting and request throttling on metrics endpoints to prevent excessive or malformed queries from overwhelming the proxy. 5. Use Kubernetes network policies and service mesh security features to restrict which services can query proxy metrics. 6. Prepare incident response playbooks specific to service mesh disruptions to enable rapid recovery. 7. Regularly review and audit service mesh configurations to ensure adherence to security best practices and minimize unnecessary exposure of metrics endpoints.