CVE-2025-27421

Name of the Vulnerable Software and Affected Versions Abacus versions prior to 1.4.0

Description A critical issue has been identified in the Abacus server's Server-Sent Events (SSE) implementation, specifically with the /stream endpoint. When clients disconnect, the server fails to properly clean up resources and terminate associated goroutines, leading to resource exhaustion. The server continues running but eventually stops accepting new SSE connections while maintaining high memory usage. The issue involves improper channel cleanup in the event handling mechanism, causing goroutines to remain blocked indefinitely.

Recommendations For versions prior to 1.4.0, update to version 1.4.0 to resolve the issue. As a temporary workaround, consider restricting access to the /stream endpoint to minimize the risk of exploitation.