nuclei icon indicating copy to clipboard operation
nuclei copied to clipboard
verified publisher icon projectdiscovery

[BUG] Another memory leak gets nuclei killed

Open mastercho opened this issue 1 month ago • 14 comments

Is there an existing issue for this?

  • [x] I have searched the existing issues.

Current Behavior

nuclei spikes CPU and RAM at 100% and gets killed if you scan critical severity list with 30 lines

Expected Behavior

To finish scan without being nuclei killed

Steps To Reproduce

nuclei -l list.txt -silent -t /root/nuclei-templates/ -retries 2 -nmhe -severity critical -rl 150 -o nuclei_output/critical.txt

Relevant log output

I collected profiles with PPROF, i can send in discord or you can download here: https://gofile.io/d/JIFH1S

Environment

- OS: Ubuntu 24.04
- Nuclei: 3.4.10
- Go: 1.25.3

Anything else?

No response

mastercho avatar Oct 30 '25 15:10 mastercho

This is reproducible with an http server with very long http responses as all of them are hold in memory

Mzack9999 avatar Oct 31 '25 13:10 Mzack9999

Its 16GB RAM and AMD EPYC limited to 6 CPU-Cores , 320 NVME SSD Server, if 16GB RAM is not enough then i think issue is somewhere in code

mastercho avatar Oct 31 '25 15:10 mastercho

@mastercho would it be possible to test if the PR https://github.com/projectdiscovery/nuclei/pull/6571 fixes the issue?

Mzack9999 avatar Nov 02 '25 10:11 Mzack9999 

go install github.com/projectdiscovery/nuclei/v3/cmd/nuclei@feat-6567-memory-leak
go: github.com/projectdiscovery/nuclei/v3/cmd/nuclei@feat-6567-memory-leak (in github.com/projectdiscovery/nuclei/[email protected]):
        The go.mod file for the module providing named packages contains one or
        more replace directives. It must not contain directives that would cause
        it to be interpreted differently than if it were the main module.

GO wont allow me to install PR and dont want to download and compile from scratch

mastercho avatar Nov 02 '25 19:11 mastercho

GO wont allow me to install PR and dont want to download and compile from scratch

$ git clone https://github.com/projectdiscovery/nuclei && cd nuclei/
$ gh pr checkout 6571
$ make build
$ ./bin/nuclei [...]

dwisiswant0 avatar Nov 03 '25 14:11 dwisiswant0

Still being killed, new profiles with PR https://gofile.io/d/SLKN3A

mastercho avatar Nov 16 '25 17:11 mastercho

any updates? As we cant run lists right now and waiting for this fix

mastercho avatar Nov 24 '25 14:11 mastercho

@dwisiswant0 do you need anything from my side to solve that?

mastercho avatar Dec 05 '25 00:12 mastercho

Could you try reproducing the issue on the latest release (v3.6.0)? And run it with the -profile-mem flag so we can get the memory profiling details. That'll help a lot with troubleshooting.

dwisiswant0 avatar Dec 05 '25 14:12 dwisiswant0

Could you try reproducing the issue on the latest release (v3.6.0)? And run it with the -profile-mem flag so we can get the memory profiling details. That'll help a lot with troubleshooting.

Here you can find -profile-mem and PPROF

https://gofile.io/d/l2LfdV

mastercho avatar Dec 06 '25 15:12 mastercho

Thansk! Will take a look.

dwisiswant0 avatar Dec 08 '25 07:12 dwisiswant0

Very weird that the CPU and memory profiles are both 0 bytes.

$ ls -la *.{cpu,mem,trace}
.rw-rw-r-- dw1 dw1   0 B  Sun Dec  7 00:29:58 2025  nuclei-mem.cpu
.rw-rw-r-- dw1 dw1   0 B  Sun Dec  7 00:30:00 2025  nuclei-mem.mem
.rw-rw-r-- dw1 dw1 390 MB Sun Dec  7 00:29:34 2025  nuclei-mem.trace

dwisiswant0 avatar Dec 08 '25 07:12 dwisiswant0

Curious how exactly did you generate those cpuprofile/cpuprofile-XN.out and memdump/memprofile-XN.out files?

dwisiswant0 avatar Dec 08 '25 07:12 dwisiswant0

Curious how exactly did you generate those cpuprofile/cpuprofile-XN.out and memdump/memprofile-XN.out files?

i did run command as you suggested with -profile-mem=nuclei-mem and other is PPROF with export PPROF=1; export PPROF_TIME=10s;

mastercho avatar Dec 09 '25 03:12 mastercho