What happened?
CrowdSec v1.7.4 (docker) crashes with multiple nil pointer dereferences across
different goroutines:
- Parser (legacy grok path)
- Leaky bucket manager (PourItemToHolders)
- API heartbeat (cloneRequest)
All crashes involve unsafe map access and appear related to partial or
concurrent initialization of internal state.
Binary is built with Go 1.25.5.
crowdsec-crash.499161833.txt
crowdsec-crash.1793836323.txt
crowdsec-crash.3868671951.txt
What did you expect to happen?
I am running WireDoor stack on Docker. CrowdSec container restarted often and found the bug worth reporting.
How can we reproduce it (as minimally and precisely as possible)?
OS: Ubuntu Server 24.04 (VM)
Runtime: Docker Engine (rootful)
CrowdSec image: crowdsecurity/crowdsec:v1.7.4
Build:
GoVersion: 1.25.5
Platform: docker
docker run --rm
--name crowdsec
-v crowdsec-data:/var/lib/crowdsec/data
-v /var/log/nginx:/var/log/nginx:ro
crowdsecurity/crowdsec:v1.7.4
- Start CrowdSec v1.7.4 with default nginx collection enabled.
- Generate sustained HTTP traffic (normal + malformed user agents).
- Let CrowdSec run for 30–120 minutes.
- Observe container restarts or crashes.
The crash is not immediate but occurs reliably under sustained traffic.
while true; do
curl -A "badbot-$(date +%s)" http:/// 2>/dev/null
curl -A "Mozilla/5.0" http:/// 2>/dev/null
sleep 0.2
done
Observed panics occur in multiple goroutines:
- parser (legacy grok parsing)
- leakybucket (PourItemToHolders)
- apiclient heartbeat (cloneRequest)
All crashes are nil pointer dereferences involving internal maps.
Anything else we need to know?
The crash appears timing/concurrency dependent.
I was unable to reproduce it with a single request, but it occurs reliably
under sustained traffic within 1–2 hours.
No OOM events observed. dmesg is clean.
I am going to try crowdsec v1.7.3 to see if happens the same...
Crowdsec version
Details
crowdsecurity/crowdsec:v1.7.4-db3efdbf
$ cscli version
# paste output here
OS version
Details
PRETTY_NAME="Ubuntu 24.04.3 LTS"
NAME="Ubuntu"
VERSION_ID="24.04"
VERSION="24.04.3 LTS (Noble Numbat)"
VERSION_CODENAME=noble
ID=ubuntu
ID_LIKE=debian
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
UBUNTU_CODENAME=noble
LOGO=ubuntu-logo
Linux vm8110-ubusrv-2404-fn-ip471 6.8.0-90-generic #91-Ubuntu SMP PREEMPT_DYNAMIC Tue Nov 18 14:14:30 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux
Enabled collections and parsers
Details
$ cscli hub list -o raw
# paste output here
Acquisition config
Details
# On Linux:
$ cat /etc/crowdsec/acquis.yaml /etc/crowdsec/acquis.d/*
# paste output here
# On Windows:
C:\> Get-Content C:\ProgramData\CrowdSec\config\acquis.yaml
# paste output here
Config show
Details
$ cscli config show
# paste output here
Prometheus metrics
Details
$ cscli metrics
# paste output here
Related custom configs versions (if applicable) : notification plugins, custom scenarios, parsers etc.
Details
What happened?
CrowdSec v1.7.4 (docker) crashes with multiple nil pointer dereferences across
different goroutines:
All crashes involve unsafe map access and appear related to partial or
concurrent initialization of internal state.
Binary is built with Go 1.25.5.
crowdsec-crash.499161833.txt
crowdsec-crash.1793836323.txt
crowdsec-crash.3868671951.txt
What did you expect to happen?
I am running WireDoor stack on Docker. CrowdSec container restarted often and found the bug worth reporting.
How can we reproduce it (as minimally and precisely as possible)?
OS: Ubuntu Server 24.04 (VM)
Runtime: Docker Engine (rootful)
CrowdSec image: crowdsecurity/crowdsec:v1.7.4
Build:
GoVersion: 1.25.5
Platform: docker
docker run --rm
--name crowdsec
-v crowdsec-data:/var/lib/crowdsec/data
-v /var/log/nginx:/var/log/nginx:ro
crowdsecurity/crowdsec:v1.7.4
The crash is not immediate but occurs reliably under sustained traffic.
while true; do
curl -A "badbot-$(date +%s)" http:/// 2>/dev/null
curl -A "Mozilla/5.0" http:/// 2>/dev/null
sleep 0.2
done
Observed panics occur in multiple goroutines:
All crashes are nil pointer dereferences involving internal maps.
Anything else we need to know?
The crash appears timing/concurrency dependent.
I was unable to reproduce it with a single request, but it occurs reliably
under sustained traffic within 1–2 hours.
No OOM events observed. dmesg is clean.
I am going to try crowdsec v1.7.3 to see if happens the same...
Crowdsec version
Details
crowdsecurity/crowdsec:v1.7.4-db3efdbfOS version
Details
PRETTY_NAME="Ubuntu 24.04.3 LTS"
NAME="Ubuntu"
VERSION_ID="24.04"
VERSION="24.04.3 LTS (Noble Numbat)"
VERSION_CODENAME=noble
ID=ubuntu
ID_LIKE=debian
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
UBUNTU_CODENAME=noble
LOGO=ubuntu-logo
Linux vm8110-ubusrv-2404-fn-ip471 6.8.0-90-generic #91-Ubuntu SMP PREEMPT_DYNAMIC Tue Nov 18 14:14:30 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux
Enabled collections and parsers
Details
Acquisition config
Details
Config show
Details
Prometheus metrics
Details
Related custom configs versions (if applicable) : notification plugins, custom scenarios, parsers etc.
Details