|
| 1 | +--- |
| 2 | +layout: advisory |
| 3 | +title: 'CVE-2026-44163 (fluent-plugin-opentelemetry): fluent-plugin-opentelemetry |
| 4 | + Has Denial of Service (DoS) via Large Payloads and Decompression Bombs in `in_opentelemetry`' |
| 5 | +comments: false |
| 6 | +categories: |
| 7 | +- fluent-plugin-opentelemetry |
| 8 | +advisory: |
| 9 | + gem: fluent-plugin-opentelemetry |
| 10 | + cve: 2026-44163 |
| 11 | + ghsa: 2jc5-xhx8-qj6h |
| 12 | + url: https://www.cve.org/CVERecord/SearchResults?query=CVE-2026-44163 |
| 13 | + title: fluent-plugin-opentelemetry Has Denial of Service (DoS) via Large Payloads |
| 14 | + and Decompression Bombs in `in_opentelemetry` |
| 15 | + date: 2026-06-25 |
| 16 | + description: |- |
| 17 | + The `fluent-plugin-opentelemetry` plugin (specifically the |
| 18 | + `in_opentelemetry` HTTP input) lacked strict size limits on incoming |
| 19 | + requests. It was discovered that the plugin read the entire request |
| 20 | + body and decompressed payloads into memory without enforcing maximum |
| 21 | + size thresholds. If the OpenTelemetry ingestion endpoint is exposed to |
| 22 | + untrusted networks, an attacker can send an excessively large HTTP |
| 23 | + request or a maliciously crafted, highly compressed payload. |
| 24 | + When the plugin attempts to read or decompress this payload, it will |
| 25 | + expand to an excessive size and it will consume significant system resources. |
| 26 | +
|
| 27 | + ### Impact |
| 28 | +
|
| 29 | + This vulnerability allows for a **Denial of Service (DoS)** attack |
| 30 | + via memory exhaustion. The rapid memory consumption during decompression |
| 31 | + can easily lead to an Out-of-Memory kill of the Fluentd process by the |
| 32 | + operating system. This results in the disruption of all log collection |
| 33 | + and forwarding capabilities on the affected node. |
| 34 | + cvss_v3: 5.3 |
| 35 | + patched_versions: |
| 36 | + - ">= 0.5.3" |
| 37 | + related: |
| 38 | + url: |
| 39 | + - https://www.cve.org/CVERecord/SearchResults?query=CVE-2026-44163 |
| 40 | + - https://rubygems.org/gems/fluent-plugin-opentelemetry/versions/0.5.3 |
| 41 | + - https://github.com/fluent-plugins-nursery/fluent-plugin-opentelemetry/blob/main/CHANGELOG.md#053---2026-06-25 |
| 42 | + - https://github.com/fluent-plugins-nursery/fluent-plugin-opentelemetry/commit/ce6c1f2a7741592c8a79afbe75fded9e8ebfa92d |
| 43 | + - https://advisories.gitlab.com/gem/fluent-plugin-opentelemetry/CVE-2026-44163 |
| 44 | + - https://github.com/advisories/GHSA-2jc5-xhx8-qj6h |
| 45 | + - https://github.com/fluent-plugins-nursery/fluent-plugin-opentelemetry/security/advisories/GHSA-2jc5-xhx8-qj6h |
| 46 | + notes: | |
| 47 | + - CVE is reserved, but not published so no non-GHSA cvss values. |
| 48 | + - `date` value cames from Rubygems.org URL release date. |
| 49 | +--- |
0 commit comments