Multiple nil-pointer panics across parser, leaky bucket, and API heartbeat in v1.7.4 (Go 1.25)

[fkwang3]

What happened?

CrowdSec v1.7.4 (docker) crashes with multiple nil pointer dereferences across
different goroutines:

1. Parser (legacy grok path)
2. Leaky bucket manager (PourItemToHolders)
3. API heartbeat (cloneRequest)

All crashes involve unsafe map access and appear related to partial or
concurrent initialization of internal state.

Binary is built with Go 1.25.5.

crowdsec-crash.499161833.txt

crowdsec-crash.1793836323.txt

crowdsec-crash.3868671951.txt

What did you expect to happen?

I am running WireDoor stack on Docker. CrowdSec container restarted often and found the bug worth reporting.

How can we reproduce it (as minimally and precisely as possible)?

OS: Ubuntu Server 24.04 (VM)
Runtime: Docker Engine (rootful)
CrowdSec image: crowdsecurity/crowdsec:v1.7.4
Build:
GoVersion: 1.25.5
Platform: docker

docker run --rm
--name crowdsec
-v crowdsec-data:/var/lib/crowdsec/data
-v /var/log/nginx:/var/log/nginx:ro
crowdsecurity/crowdsec:v1.7.4

1. Start CrowdSec v1.7.4 with default nginx collection enabled.
2. Generate sustained HTTP traffic (normal + malformed user agents).
3. Let CrowdSec run for 30–120 minutes.
4. Observe container restarts or crashes.

The crash is not immediate but occurs reliably under sustained traffic.

while true; do
curl -A "badbot-$(date +%s)" http:/// 2>/dev/null
curl -A "Mozilla/5.0" http:/// 2>/dev/null
sleep 0.2
done

Observed panics occur in multiple goroutines:

• parser (legacy grok parsing)
• leakybucket (PourItemToHolders)
• apiclient heartbeat (cloneRequest)

All crashes are nil pointer dereferences involving internal maps.

Anything else we need to know?

The crash appears timing/concurrency dependent.
I was unable to reproduce it with a single request, but it occurs reliably
under sustained traffic within 1–2 hours.

No OOM events observed. dmesg is clean.

I am going to try crowdsec v1.7.3 to see if happens the same...

Crowdsec version

Details

crowdsecurity/crowdsec:v1.7.4-db3efdbf

$ cscli version
# paste output here

OS version

Details

PRETTY_NAME="Ubuntu 24.04.3 LTS"
NAME="Ubuntu"
VERSION_ID="24.04"
VERSION="24.04.3 LTS (Noble Numbat)"
VERSION_CODENAME=noble
ID=ubuntu
ID_LIKE=debian
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
UBUNTU_CODENAME=noble
LOGO=ubuntu-logo

Linux vm8110-ubusrv-2404-fn-ip471 6.8.0-90-generic #91-Ubuntu SMP PREEMPT_DYNAMIC Tue Nov 18 14:14:30 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux

Enabled collections and parsers

Details

$ cscli hub list -o raw
# paste output here

Acquisition config

Details

# On Linux:
$ cat /etc/crowdsec/acquis.yaml /etc/crowdsec/acquis.d/*
# paste output here

# On Windows:
C:\> Get-Content C:\ProgramData\CrowdSec\config\acquis.yaml
# paste output here

Config show

Details

$ cscli config show
# paste output here

Prometheus metrics

Details

$ cscli metrics
# paste output here

Related custom configs versions (if applicable) : notification plugins, custom scenarios, parsers etc.

Details

[github-actions]

@fkwang3: Thanks for opening an issue, it is currently awaiting triage.

In the meantime, you can:

1. Check Crowdsec Documentation to see if your issue can be self resolved.
2. You can also join our Discord.
3. Check Releases to make sure your agent is on the latest version.

Details

I am a bot created to help the crowdsecurity developers manage community feedback and contributions. You can check out my manifest file to understand my behavior and what I can do. If you want to use this for your project, you can check out the BirthdayResearch/oss-governance-bot repository.

[blotus]

Hello,

Thanks for this report.

Looking at the crashes, they do not make a lot of sense, unless you are in a very high memory pressure situation:

• The crash in the parsers: it's a crash in the underlying library, when trying to grow a map that was created immediately before.
• PourItemsToHolders: The crash occurs when trying to access a static slice created on startup and that is never modified afterwards
• cloneRequest: Again, crash when trying to access a newly allocated map (although for this one, the code is indeed a bit dodgy and could have some issues).

You simulated 10 requests per second, which is basically nothing for crowdsec (a default setup should be able to handle a few hundreds lines per second without any issue on 2 CPU cores).
Just to be safe, I ran the same command as you for the last few hours, and no issues yet.

Could you give us more information about the machine you ran the test on and the conditions ? (total memory allocated to the container, memory usage of crowdsec over time, ...).
Even if you did not see an OOM error, I strongly think the crashes are caused by an out of memory situation.