GHSA-XV9W-7V6Q-HPJH

Vulnerability from github – Published: 2026-06-26 17:02 – Updated: 2026-06-26 17:02
VLAI
Summary
fluent-plugin-s3 Vulnerable to Denial of Service (DoS) via Decompression Bomb in `in_s3`
Details

The fluent-plugin-s3 plugin (specifically the in_s3 input plugin) supports reading and decompressing heavily compressed files (such as gzip, lzma2, and lzop) from Amazon S3. It was discovered that the plugin read the entire decompressed payload into memory at once without enforcing a strict size limit.

If an attacker has sufficient permissions to upload files to the monitored S3 bucket, they can upload a maliciously crafted, highly compressed file. When Fluentd attempts to decompress this file, it will expand to an excessive size and it will consume significant system resources.

Impact

This vulnerability allows for a Denial of Service (DoS) attack via memory exhaustion. The rapid memory consumption during decompression can lead to an Out-of-Memory kill of the Fluentd process by the operating system, This results in the disruption of all log collection on the affected node.

Patches

v1.8.5

Workarounds

If an immediate upgrade is not possible, mitigate the risk by applying strict IAM access controls:

  1. Restrict Bucket Access
  2. Ensure that write (PUT) access to the S3 bucket monitored by in_s3 is strictly limited to trusted services and administrators. Prevent any public or untrusted uploads to the S3 bucket.
Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 1.8.4"
      },
      "package": {
        "ecosystem": "RubyGems",
        "name": "fluent-plugin-s3"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.7.0"
            },
            {
              "fixed": "1.8.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-44162"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-770"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-26T17:02:19Z",
    "nvd_published_at": null,
    "severity": "LOW"
  },
  "details": "The `fluent-plugin-s3` plugin (specifically the `in_s3` input plugin) supports reading and decompressing heavily compressed files (such as `gzip`, `lzma2`, and `lzop`) from Amazon S3. \nIt was discovered that the plugin read the entire decompressed payload into memory at once without enforcing a strict size limit.\n\nIf an attacker has sufficient permissions to upload files to the monitored S3 bucket, they can upload a maliciously crafted, highly compressed file.\nWhen Fluentd attempts to decompress this file, it will expand to an excessive size and it will consume significant system resources.\n\n### Impact\nThis vulnerability allows for a **Denial of Service (DoS)** attack via memory exhaustion. \nThe rapid memory consumption during decompression can lead to an Out-of-Memory kill of the Fluentd process by the operating system, \nThis results in the disruption of all log collection on the affected node.\n\n### Patches\nv1.8.5\n\n### Workarounds\nIf an immediate upgrade is not possible, mitigate the risk by applying strict IAM access controls:\n\n1. Restrict Bucket Access\n   * Ensure that write (PUT) access to the S3 bucket monitored by `in_s3` is strictly limited to trusted services and administrators. Prevent any public or untrusted uploads to the S3 bucket.",
  "id": "GHSA-xv9w-7v6q-hpjh",
  "modified": "2026-06-26T17:02:19Z",
  "published": "2026-06-26T17:02:19Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/fluent/fluent-plugin-s3/security/advisories/GHSA-xv9w-7v6q-hpjh"
    },
    {
      "type": "WEB",
      "url": "https://github.com/fluent/fluent-plugin-s3/commit/e085aee001d15bcc4bd073507e74075e30550fd0"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/fluent/fluent-plugin-s3"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "fluent-plugin-s3 Vulnerable to Denial of Service (DoS) via Decompression Bomb in `in_s3`"
}



Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Loading…

Detection rules are retrieved from Rulezet.

Loading…

Loading…