GHSA-XV9W-7V6Q-HPJH
Vulnerability from github – Published: 2026-06-26 17:02 – Updated: 2026-06-26 17:02The fluent-plugin-s3 plugin (specifically the in_s3 input plugin) supports reading and decompressing heavily compressed files (such as gzip, lzma2, and lzop) from Amazon S3.
It was discovered that the plugin read the entire decompressed payload into memory at once without enforcing a strict size limit.
If an attacker has sufficient permissions to upload files to the monitored S3 bucket, they can upload a maliciously crafted, highly compressed file. When Fluentd attempts to decompress this file, it will expand to an excessive size and it will consume significant system resources.
Impact
This vulnerability allows for a Denial of Service (DoS) attack via memory exhaustion. The rapid memory consumption during decompression can lead to an Out-of-Memory kill of the Fluentd process by the operating system, This results in the disruption of all log collection on the affected node.
Patches
v1.8.5
Workarounds
If an immediate upgrade is not possible, mitigate the risk by applying strict IAM access controls:
- Restrict Bucket Access
- Ensure that write (PUT) access to the S3 bucket monitored by
in_s3is strictly limited to trusted services and administrators. Prevent any public or untrusted uploads to the S3 bucket.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 1.8.4"
},
"package": {
"ecosystem": "RubyGems",
"name": "fluent-plugin-s3"
},
"ranges": [
{
"events": [
{
"introduced": "0.7.0"
},
{
"fixed": "1.8.5"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-44162"
],
"database_specific": {
"cwe_ids": [
"CWE-770"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-26T17:02:19Z",
"nvd_published_at": null,
"severity": "LOW"
},
"details": "The `fluent-plugin-s3` plugin (specifically the `in_s3` input plugin) supports reading and decompressing heavily compressed files (such as `gzip`, `lzma2`, and `lzop`) from Amazon S3. \nIt was discovered that the plugin read the entire decompressed payload into memory at once without enforcing a strict size limit.\n\nIf an attacker has sufficient permissions to upload files to the monitored S3 bucket, they can upload a maliciously crafted, highly compressed file.\nWhen Fluentd attempts to decompress this file, it will expand to an excessive size and it will consume significant system resources.\n\n### Impact\nThis vulnerability allows for a **Denial of Service (DoS)** attack via memory exhaustion. \nThe rapid memory consumption during decompression can lead to an Out-of-Memory kill of the Fluentd process by the operating system, \nThis results in the disruption of all log collection on the affected node.\n\n### Patches\nv1.8.5\n\n### Workarounds\nIf an immediate upgrade is not possible, mitigate the risk by applying strict IAM access controls:\n\n1. Restrict Bucket Access\n * Ensure that write (PUT) access to the S3 bucket monitored by `in_s3` is strictly limited to trusted services and administrators. Prevent any public or untrusted uploads to the S3 bucket.",
"id": "GHSA-xv9w-7v6q-hpjh",
"modified": "2026-06-26T17:02:19Z",
"published": "2026-06-26T17:02:19Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/fluent/fluent-plugin-s3/security/advisories/GHSA-xv9w-7v6q-hpjh"
},
{
"type": "WEB",
"url": "https://github.com/fluent/fluent-plugin-s3/commit/e085aee001d15bcc4bd073507e74075e30550fd0"
},
{
"type": "PACKAGE",
"url": "https://github.com/fluent/fluent-plugin-s3"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
}
],
"summary": "fluent-plugin-s3 Vulnerable to Denial of Service (DoS) via Decompression Bomb in `in_s3`"
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.