MEDIUM
The severity is rated as MEDIUM because the leak primarily affects resident memory and not virtual memory, which typically does not cause system crashes or significant performance degradation. However, it can still lead to unnecessary high-memory usage over time. The issue is practically relevant for environments where MeiliSearch handles large volumes of data.

This advisory discusses a memory leak in MeiliSearch, an open-source full-text search engine that uses various allocators like jemalloc, bumpalo, and mimalloc. The leak was initially unnoticed as it only affected resident memory (RSS) rather than virtual memory, leading to increased memory usage during indexing processes. The leak originated from improper use of `bumpalo::Vec::into_bump_slice`, which bypassed the necessary cleanup process for global-allocator-backed data structures stored within bump allocations. This issue was discovered by leveraging AI-assisted analysis and has been present since version 1.12, approximately 1.5 years ago.

Affected Systems
  • MeiliSearch
Affected Versions: All versions from 1.12 up to and including the latest version prior to the fix
Remediation
  • Upgrade to the patched version of MeiliSearch that includes the fix for bumpalo usage.
  • Verify that all instances are running on the updated version by checking the `meilisearch --version` command output.
  • Monitor memory usage post-upgrade to ensure the leak has been resolved.
Stack Impact

The impact is specifically on systems using MeiliSearch for indexing large volumes of data. This includes homelab environments running MeiliSearch with significant datasets, where the fix is crucial to avoid excessive resident memory consumption.

Source →