Search
Find a vulnerability
Search criteria
12 vulnerabilities found for fluentd by fluent
CVE-2026-44161 (GCVE-0-2026-44161)
Vulnerability from nvd – Published: 2026-07-08 21:25 – Updated: 2026-07-09 14:40
VLAI
EPSS
VEX
Title
Fluentd: Server-Side Request Forgery (SSRF) via Placeholder Expansion in `out_http`
Summary
Fluentd collects events from various data sources and writes them to files, RDBMS, NoSQL, IaaS, SaaS, Hadoop and so on. Prior to 1.19.3, the Fluentd out_http output plugin allows placeholders such as ${tag} in the endpoint configuration parameter, and if a placeholder value is derived from untrusted input an attacker can control the destination hostname of outbound HTTP requests and force requests to arbitrary internal services. This issue is fixed in version 1.19.3.
Severity
7.2 (High)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/fluent/fluentd/security/adviso… | x_refsource_CONFIRM |
| https://github.com/fluent/fluentd/pull/5394 | x_refsource_MISC |
| https://github.com/fluent/fluentd/commit/c6a01ea2… | x_refsource_MISC |
| https://github.com/fluent/fluentd/releases/tag/v1.19.3 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-44161",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-09T14:37:57.811738Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-09T14:40:31.700Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "fluentd",
"vendor": "fluent",
"versions": [
{
"status": "affected",
"version": "\u003c 1.19.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Fluentd collects events from various data sources and writes them to files, RDBMS, NoSQL, IaaS, SaaS, Hadoop and so on. Prior to 1.19.3, the Fluentd out_http output plugin allows placeholders such as ${tag} in the endpoint configuration parameter, and if a placeholder value is derived from untrusted input an attacker can control the destination hostname of outbound HTTP requests and force requests to arbitrary internal services. This issue is fixed in version 1.19.3."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918: Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-08T21:25:43.892Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/fluent/fluentd/security/advisories/GHSA-72f5-rr8c-r6gr",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/fluent/fluentd/security/advisories/GHSA-72f5-rr8c-r6gr"
},
{
"name": "https://github.com/fluent/fluentd/pull/5394",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/fluent/fluentd/pull/5394"
},
{
"name": "https://github.com/fluent/fluentd/commit/c6a01ea2e0ea01977f8d615f7c6dbfae4cba88c9",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/fluent/fluentd/commit/c6a01ea2e0ea01977f8d615f7c6dbfae4cba88c9"
},
{
"name": "https://github.com/fluent/fluentd/releases/tag/v1.19.3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/fluent/fluentd/releases/tag/v1.19.3"
}
],
"source": {
"advisory": "GHSA-72f5-rr8c-r6gr",
"discovery": "UNKNOWN"
},
"title": "Fluentd: Server-Side Request Forgery (SSRF) via Placeholder Expansion in `out_http`"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-44161",
"datePublished": "2026-07-08T21:25:43.892Z",
"dateReserved": "2026-05-05T14:39:34.922Z",
"dateUpdated": "2026-07-09T14:40:31.700Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-44160 (GCVE-0-2026-44160)
Vulnerability from nvd – Published: 2026-07-08 21:24 – Updated: 2026-07-09 19:34
VLAI
EPSS
VEX
Title
Fluentd: Denial of Service (DoS) via Gzip Decompression Bomb in `in_http` and `in_forward`
Summary
Fluentd collects events from various data sources and writes them to files, RDBMS, NoSQL, IaaS, SaaS, Hadoop and so on. Prior to 1.19.3, Fluentd's in_http and in_forward plugins support gzip-compressed data but enforce limits only on compressed payloads through settings such as body_size_limit and chunk_size_limit, allowing crafted compressed payloads to decompress in memory to an excessive size and cause denial of service through memory exhaustion. This issue is fixed in version 1.19.3.
Severity
7.5 (High)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-409 - Improper Handling of Highly Compressed Data (Data Amplification)
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/fluent/fluentd/security/adviso… | x_refsource_CONFIRM |
| https://github.com/fluent/fluentd/pull/5393 | x_refsource_MISC |
| https://github.com/fluent/fluentd/commit/f5f2b7cd… | x_refsource_MISC |
| https://github.com/fluent/fluentd/releases/tag/v1.19.3 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-44160",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-09T19:34:49.901088Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-09T19:34:55.352Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "fluentd",
"vendor": "fluent",
"versions": [
{
"status": "affected",
"version": "\u003c 1.19.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Fluentd collects events from various data sources and writes them to files, RDBMS, NoSQL, IaaS, SaaS, Hadoop and so on. Prior to 1.19.3, Fluentd\u0027s in_http and in_forward plugins support gzip-compressed data but enforce limits only on compressed payloads through settings such as body_size_limit and chunk_size_limit, allowing crafted compressed payloads to decompress in memory to an excessive size and cause denial of service through memory exhaustion. This issue is fixed in version 1.19.3."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-409",
"description": "CWE-409: Improper Handling of Highly Compressed Data (Data Amplification)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-08T21:24:28.346Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/fluent/fluentd/security/advisories/GHSA-j9cw-hwqf-85w7",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/fluent/fluentd/security/advisories/GHSA-j9cw-hwqf-85w7"
},
{
"name": "https://github.com/fluent/fluentd/pull/5393",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/fluent/fluentd/pull/5393"
},
{
"name": "https://github.com/fluent/fluentd/commit/f5f2b7cddf8aab3932e6dec9fa367a5f3eb27e10",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/fluent/fluentd/commit/f5f2b7cddf8aab3932e6dec9fa367a5f3eb27e10"
},
{
"name": "https://github.com/fluent/fluentd/releases/tag/v1.19.3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/fluent/fluentd/releases/tag/v1.19.3"
}
],
"source": {
"advisory": "GHSA-j9cw-hwqf-85w7",
"discovery": "UNKNOWN"
},
"title": "Fluentd: Denial of Service (DoS) via Gzip Decompression Bomb in `in_http` and `in_forward`"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-44160",
"datePublished": "2026-07-08T21:24:28.346Z",
"dateReserved": "2026-05-05T14:39:34.922Z",
"dateUpdated": "2026-07-09T19:34:55.352Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-44025 (GCVE-0-2026-44025)
Vulnerability from nvd – Published: 2026-07-08 21:23 – Updated: 2026-07-09 13:47
VLAI
EPSS
VEX
Title
Fluentd: Exposure of Sensitive Information via Monitor Agent API
Summary
Fluentd collects events from various data sources and writes them to files, RDBMS, NoSQL, IaaS, SaaS, Hadoop and so on. Prior to 1.19.3, Fluentd's Monitor Agent plugin in_monitor_agent exposes internal metrics and plugin information via a REST API, and responses from /api/plugins.json and related endpoints unintentionally include internal instance variables that may contain database passwords, API keys, or cloud credentials. This issue is fixed in version 1.19.3.
Severity
7.5 (High)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-306 - Missing Authentication for Critical Function
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/fluent/fluentd/security/adviso… | x_refsource_CONFIRM |
| https://github.com/fluent/fluentd/pull/5392 | x_refsource_MISC |
| https://github.com/fluent/fluentd/commit/99092151… | x_refsource_MISC |
| https://github.com/fluent/fluentd/releases/tag/v1.19.3 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-44025",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-09T13:47:05.851155Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-09T13:47:17.414Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "fluentd",
"vendor": "fluent",
"versions": [
{
"status": "affected",
"version": "\u003c 1.19.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Fluentd collects events from various data sources and writes them to files, RDBMS, NoSQL, IaaS, SaaS, Hadoop and so on. Prior to 1.19.3, Fluentd\u0027s Monitor Agent plugin in_monitor_agent exposes internal metrics and plugin information via a REST API, and responses from /api/plugins.json and related endpoints unintentionally include internal instance variables that may contain database passwords, API keys, or cloud credentials. This issue is fixed in version 1.19.3."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-306",
"description": "CWE-306: Missing Authentication for Critical Function",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-08T21:23:16.920Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/fluent/fluentd/security/advisories/GHSA-pr7j-96cj-549h",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/fluent/fluentd/security/advisories/GHSA-pr7j-96cj-549h"
},
{
"name": "https://github.com/fluent/fluentd/pull/5392",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/fluent/fluentd/pull/5392"
},
{
"name": "https://github.com/fluent/fluentd/commit/990921518971699b9a97441970674d1800e29177",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/fluent/fluentd/commit/990921518971699b9a97441970674d1800e29177"
},
{
"name": "https://github.com/fluent/fluentd/releases/tag/v1.19.3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/fluent/fluentd/releases/tag/v1.19.3"
}
],
"source": {
"advisory": "GHSA-pr7j-96cj-549h",
"discovery": "UNKNOWN"
},
"title": "Fluentd: Exposure of Sensitive Information via Monitor Agent API"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-44025",
"datePublished": "2026-07-08T21:23:16.920Z",
"dateReserved": "2026-05-04T21:24:36.506Z",
"dateUpdated": "2026-07-09T13:47:17.414Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-44024 (GCVE-0-2026-44024)
Vulnerability from nvd – Published: 2026-07-08 21:20 – Updated: 2026-07-09 13:26
VLAI
EPSS
VEX
Title
Fluentd: Remote Code Execution (RCE) via Arbitrary File Write in `${tag}` Placeholder
Summary
Fluentd collects events from various data sources and writes them to files, RDBMS, NoSQL, IaaS, SaaS, Hadoop and so on. Prior to 1.19.3, Fluentd allows dynamically constructing file paths using the ${tag} placeholder, and insufficient validation of ${tag} in file configurations such as the path parameter of the out_file plugin allows attackers sending untrusted tags containing path traversal characters to write or overwrite arbitrary files and potentially achieve remote code execution. This issue is fixed in version 1.19.3.
Severity
9.8 (Critical)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/fluent/fluentd/security/adviso… | x_refsource_CONFIRM |
| https://github.com/fluent/fluentd/pull/5391 | x_refsource_MISC |
| https://github.com/fluent/fluentd/commit/45c87a81… | x_refsource_MISC |
| https://github.com/fluent/fluentd/releases/tag/v1.19.3 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-44024",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-09T13:26:40.473209Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-09T13:26:53.271Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "fluentd",
"vendor": "fluent",
"versions": [
{
"status": "affected",
"version": "\u003c 1.19.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Fluentd collects events from various data sources and writes them to files, RDBMS, NoSQL, IaaS, SaaS, Hadoop and so on. Prior to 1.19.3, Fluentd allows dynamically constructing file paths using the ${tag} placeholder, and insufficient validation of ${tag} in file configurations such as the path parameter of the out_file plugin allows attackers sending untrusted tags containing path traversal characters to write or overwrite arbitrary files and potentially achieve remote code execution. This issue is fixed in version 1.19.3."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-08T21:20:29.598Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/fluent/fluentd/security/advisories/GHSA-44hj-4m45-frj3",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/fluent/fluentd/security/advisories/GHSA-44hj-4m45-frj3"
},
{
"name": "https://github.com/fluent/fluentd/pull/5391",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/fluent/fluentd/pull/5391"
},
{
"name": "https://github.com/fluent/fluentd/commit/45c87a81f3ac0b72b3f9dcfe8cfb5f9038f81437",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/fluent/fluentd/commit/45c87a81f3ac0b72b3f9dcfe8cfb5f9038f81437"
},
{
"name": "https://github.com/fluent/fluentd/releases/tag/v1.19.3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/fluent/fluentd/releases/tag/v1.19.3"
}
],
"source": {
"advisory": "GHSA-44hj-4m45-frj3",
"discovery": "UNKNOWN"
},
"title": "Fluentd: Remote Code Execution (RCE) via Arbitrary File Write in `${tag}` Placeholder"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-44024",
"datePublished": "2026-07-08T21:20:29.598Z",
"dateReserved": "2026-05-04T21:24:36.506Z",
"dateUpdated": "2026-07-09T13:26:53.271Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-39379 (GCVE-0-2022-39379)
Vulnerability from nvd – Published: 2022-11-02 00:00 – Updated: 2025-04-23 16:41
VLAI
EPSS
VEX
Title
Fluentd vulnerable to remote code execution due to insecure deserialization (in non-default configuration)
Summary
Fluentd collects events from various data sources and writes them to files, RDBMS, NoSQL, IaaS, SaaS, Hadoop and so on. A remote code execution (RCE) vulnerability in non-default configurations of Fluentd allows unauthenticated attackers to execute arbitrary code via specially crafted JSON payloads. Fluentd setups are only affected if the environment variable `FLUENT_OJ_OPTION_MODE` is explicitly set to `object`. Please note: The option FLUENT_OJ_OPTION_MODE was introduced in Fluentd version 1.13.2. Earlier versions of Fluentd are not affected by this vulnerability. This issue was patched in version 1.15.3. As a workaround do not use `FLUENT_OJ_OPTION_MODE=object`.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-502 - Deserialization of Untrusted Data
Assigner
References
3 references
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T12:00:44.172Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/fluent/fluentd/security/advisories/GHSA-fppq-mj76-fpj2"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/fluent/fluentd/commit/48e5b85dab1b6d4c273090d538fc11b3f2fd8135"
},
{
"name": "FEDORA-2023-6b9e2a6534",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MYD5QV66OLDHES6IKVYYM3Y3YID3VVCO/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-39379",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-23T13:55:24.123262Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-23T16:41:33.585Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "fluentd",
"vendor": "fluent",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.13.2, \u003c 1.15.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Fluentd collects events from various data sources and writes them to files, RDBMS, NoSQL, IaaS, SaaS, Hadoop and so on. A remote code execution (RCE) vulnerability in non-default configurations of Fluentd allows unauthenticated attackers to execute arbitrary code via specially crafted JSON payloads. Fluentd setups are only affected if the environment variable `FLUENT_OJ_OPTION_MODE` is explicitly set to `object`. Please note: The option FLUENT_OJ_OPTION_MODE was introduced in Fluentd version 1.13.2. Earlier versions of Fluentd are not affected by this vulnerability. This issue was patched in version 1.15.3. As a workaround do not use `FLUENT_OJ_OPTION_MODE=object`."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.1,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "CWE-502: Deserialization of Untrusted Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-01-11T00:00:00.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"url": "https://github.com/fluent/fluentd/security/advisories/GHSA-fppq-mj76-fpj2"
},
{
"url": "https://github.com/fluent/fluentd/commit/48e5b85dab1b6d4c273090d538fc11b3f2fd8135"
},
{
"name": "FEDORA-2023-6b9e2a6534",
"tags": [
"vendor-advisory"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MYD5QV66OLDHES6IKVYYM3Y3YID3VVCO/"
}
],
"source": {
"advisory": "GHSA-fppq-mj76-fpj2",
"discovery": "UNKNOWN"
},
"title": "Fluentd vulnerable to remote code execution due to insecure deserialization (in non-default configuration)"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2022-39379",
"datePublished": "2022-11-02T00:00:00.000Z",
"dateReserved": "2022-09-02T00:00:00.000Z",
"dateUpdated": "2025-04-23T16:41:33.585Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-41186 (GCVE-0-2021-41186)
Vulnerability from nvd – Published: 2021-10-29 13:40 – Updated: 2024-08-04 03:08
VLAI
EPSS
VEX
Title
ReDoS vulnerability in parser_apache2
Summary
Fluentd collects events from various data sources and writes them to files to help unify logging infrastructure. The parser_apache2 plugin in Fluentd v0.14.14 to v1.14.1 suffers from a regular expression denial of service (ReDoS) vulnerability. A broken apache log with a certain pattern of string can spend too much time in a regular expression, resulting in the potential for a DoS attack. This issue is patched in version 1.14.2 There are two workarounds available. Either don't use parser_apache2 for parsing logs (which cannot guarantee generated by Apache), or put patched version of parser_apache2.rb into /etc/fluent/plugin directory (or any other directories specified by the environment variable `FLUENT_PLUGIN` or `--plugin` option of fluentd).
Severity
5.9 (Medium)
CWE
- CWE-400 - Uncontrolled Resource Consumption
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/fluent/fluentd/security/adviso… | x_refsource_CONFIRM |
| https://github.com/fluent/fluentd/blob/master/CHA… | x_refsource_MISC |
| https://github.com/github/securitylab-vulnerabili… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T03:08:31.511Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/fluent/fluentd/security/advisories/GHSA-hwhf-64mh-r662"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/fluent/fluentd/blob/master/CHANGELOG.md#v1142"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/github/securitylab-vulnerabilities/blob/52dc4a2a828c6dc24231967c2937ad92038184a9/vendor_reports/GHSL-2021-102-fluent-fluentd.md"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "fluentd",
"vendor": "fluent",
"versions": [
{
"status": "affected",
"version": "\u003e= 0.14.14, \u003c 1.14.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Fluentd collects events from various data sources and writes them to files to help unify logging infrastructure. The parser_apache2 plugin in Fluentd v0.14.14 to v1.14.1 suffers from a regular expression denial of service (ReDoS) vulnerability. A broken apache log with a certain pattern of string can spend too much time in a regular expression, resulting in the potential for a DoS attack. This issue is patched in version 1.14.2 There are two workarounds available. Either don\u0027t use parser_apache2 for parsing logs (which cannot guarantee generated by Apache), or put patched version of parser_apache2.rb into /etc/fluent/plugin directory (or any other directories specified by the environment variable `FLUENT_PLUGIN` or `--plugin` option of fluentd)."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400: Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-10-29T13:40:10.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/fluent/fluentd/security/advisories/GHSA-hwhf-64mh-r662"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/fluent/fluentd/blob/master/CHANGELOG.md#v1142"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/github/securitylab-vulnerabilities/blob/52dc4a2a828c6dc24231967c2937ad92038184a9/vendor_reports/GHSL-2021-102-fluent-fluentd.md"
}
],
"source": {
"advisory": "GHSA-hwhf-64mh-r662",
"discovery": "UNKNOWN"
},
"title": "ReDoS vulnerability in parser_apache2",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2021-41186",
"STATE": "PUBLIC",
"TITLE": "ReDoS vulnerability in parser_apache2"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "fluentd",
"version": {
"version_data": [
{
"version_value": "\u003e= 0.14.14, \u003c 1.14.2"
}
]
}
}
]
},
"vendor_name": "fluent"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Fluentd collects events from various data sources and writes them to files to help unify logging infrastructure. The parser_apache2 plugin in Fluentd v0.14.14 to v1.14.1 suffers from a regular expression denial of service (ReDoS) vulnerability. A broken apache log with a certain pattern of string can spend too much time in a regular expression, resulting in the potential for a DoS attack. This issue is patched in version 1.14.2 There are two workarounds available. Either don\u0027t use parser_apache2 for parsing logs (which cannot guarantee generated by Apache), or put patched version of parser_apache2.rb into /etc/fluent/plugin directory (or any other directories specified by the environment variable `FLUENT_PLUGIN` or `--plugin` option of fluentd)."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-400: Uncontrolled Resource Consumption"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/fluent/fluentd/security/advisories/GHSA-hwhf-64mh-r662",
"refsource": "CONFIRM",
"url": "https://github.com/fluent/fluentd/security/advisories/GHSA-hwhf-64mh-r662"
},
{
"name": "https://github.com/fluent/fluentd/blob/master/CHANGELOG.md#v1142",
"refsource": "MISC",
"url": "https://github.com/fluent/fluentd/blob/master/CHANGELOG.md#v1142"
},
{
"name": "https://github.com/github/securitylab-vulnerabilities/blob/52dc4a2a828c6dc24231967c2937ad92038184a9/vendor_reports/GHSL-2021-102-fluent-fluentd.md",
"refsource": "MISC",
"url": "https://github.com/github/securitylab-vulnerabilities/blob/52dc4a2a828c6dc24231967c2937ad92038184a9/vendor_reports/GHSL-2021-102-fluent-fluentd.md"
}
]
},
"source": {
"advisory": "GHSA-hwhf-64mh-r662",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2021-41186",
"datePublished": "2021-10-29T13:40:10.000Z",
"dateReserved": "2021-09-15T00:00:00.000Z",
"dateUpdated": "2024-08-04T03:08:31.511Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2026-44161 (GCVE-0-2026-44161)
Vulnerability from cvelistv5 – Published: 2026-07-08 21:25 – Updated: 2026-07-09 14:40
VLAI
EPSS
VEX
Title
Fluentd: Server-Side Request Forgery (SSRF) via Placeholder Expansion in `out_http`
Summary
Fluentd collects events from various data sources and writes them to files, RDBMS, NoSQL, IaaS, SaaS, Hadoop and so on. Prior to 1.19.3, the Fluentd out_http output plugin allows placeholders such as ${tag} in the endpoint configuration parameter, and if a placeholder value is derived from untrusted input an attacker can control the destination hostname of outbound HTTP requests and force requests to arbitrary internal services. This issue is fixed in version 1.19.3.
Severity
7.2 (High)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/fluent/fluentd/security/adviso… | x_refsource_CONFIRM |
| https://github.com/fluent/fluentd/pull/5394 | x_refsource_MISC |
| https://github.com/fluent/fluentd/commit/c6a01ea2… | x_refsource_MISC |
| https://github.com/fluent/fluentd/releases/tag/v1.19.3 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-44161",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-09T14:37:57.811738Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-09T14:40:31.700Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "fluentd",
"vendor": "fluent",
"versions": [
{
"status": "affected",
"version": "\u003c 1.19.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Fluentd collects events from various data sources and writes them to files, RDBMS, NoSQL, IaaS, SaaS, Hadoop and so on. Prior to 1.19.3, the Fluentd out_http output plugin allows placeholders such as ${tag} in the endpoint configuration parameter, and if a placeholder value is derived from untrusted input an attacker can control the destination hostname of outbound HTTP requests and force requests to arbitrary internal services. This issue is fixed in version 1.19.3."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918: Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-08T21:25:43.892Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/fluent/fluentd/security/advisories/GHSA-72f5-rr8c-r6gr",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/fluent/fluentd/security/advisories/GHSA-72f5-rr8c-r6gr"
},
{
"name": "https://github.com/fluent/fluentd/pull/5394",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/fluent/fluentd/pull/5394"
},
{
"name": "https://github.com/fluent/fluentd/commit/c6a01ea2e0ea01977f8d615f7c6dbfae4cba88c9",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/fluent/fluentd/commit/c6a01ea2e0ea01977f8d615f7c6dbfae4cba88c9"
},
{
"name": "https://github.com/fluent/fluentd/releases/tag/v1.19.3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/fluent/fluentd/releases/tag/v1.19.3"
}
],
"source": {
"advisory": "GHSA-72f5-rr8c-r6gr",
"discovery": "UNKNOWN"
},
"title": "Fluentd: Server-Side Request Forgery (SSRF) via Placeholder Expansion in `out_http`"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-44161",
"datePublished": "2026-07-08T21:25:43.892Z",
"dateReserved": "2026-05-05T14:39:34.922Z",
"dateUpdated": "2026-07-09T14:40:31.700Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-44160 (GCVE-0-2026-44160)
Vulnerability from cvelistv5 – Published: 2026-07-08 21:24 – Updated: 2026-07-09 19:34
VLAI
EPSS
VEX
Title
Fluentd: Denial of Service (DoS) via Gzip Decompression Bomb in `in_http` and `in_forward`
Summary
Fluentd collects events from various data sources and writes them to files, RDBMS, NoSQL, IaaS, SaaS, Hadoop and so on. Prior to 1.19.3, Fluentd's in_http and in_forward plugins support gzip-compressed data but enforce limits only on compressed payloads through settings such as body_size_limit and chunk_size_limit, allowing crafted compressed payloads to decompress in memory to an excessive size and cause denial of service through memory exhaustion. This issue is fixed in version 1.19.3.
Severity
7.5 (High)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-409 - Improper Handling of Highly Compressed Data (Data Amplification)
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/fluent/fluentd/security/adviso… | x_refsource_CONFIRM |
| https://github.com/fluent/fluentd/pull/5393 | x_refsource_MISC |
| https://github.com/fluent/fluentd/commit/f5f2b7cd… | x_refsource_MISC |
| https://github.com/fluent/fluentd/releases/tag/v1.19.3 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-44160",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-09T19:34:49.901088Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-09T19:34:55.352Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "fluentd",
"vendor": "fluent",
"versions": [
{
"status": "affected",
"version": "\u003c 1.19.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Fluentd collects events from various data sources and writes them to files, RDBMS, NoSQL, IaaS, SaaS, Hadoop and so on. Prior to 1.19.3, Fluentd\u0027s in_http and in_forward plugins support gzip-compressed data but enforce limits only on compressed payloads through settings such as body_size_limit and chunk_size_limit, allowing crafted compressed payloads to decompress in memory to an excessive size and cause denial of service through memory exhaustion. This issue is fixed in version 1.19.3."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-409",
"description": "CWE-409: Improper Handling of Highly Compressed Data (Data Amplification)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-08T21:24:28.346Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/fluent/fluentd/security/advisories/GHSA-j9cw-hwqf-85w7",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/fluent/fluentd/security/advisories/GHSA-j9cw-hwqf-85w7"
},
{
"name": "https://github.com/fluent/fluentd/pull/5393",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/fluent/fluentd/pull/5393"
},
{
"name": "https://github.com/fluent/fluentd/commit/f5f2b7cddf8aab3932e6dec9fa367a5f3eb27e10",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/fluent/fluentd/commit/f5f2b7cddf8aab3932e6dec9fa367a5f3eb27e10"
},
{
"name": "https://github.com/fluent/fluentd/releases/tag/v1.19.3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/fluent/fluentd/releases/tag/v1.19.3"
}
],
"source": {
"advisory": "GHSA-j9cw-hwqf-85w7",
"discovery": "UNKNOWN"
},
"title": "Fluentd: Denial of Service (DoS) via Gzip Decompression Bomb in `in_http` and `in_forward`"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-44160",
"datePublished": "2026-07-08T21:24:28.346Z",
"dateReserved": "2026-05-05T14:39:34.922Z",
"dateUpdated": "2026-07-09T19:34:55.352Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-44025 (GCVE-0-2026-44025)
Vulnerability from cvelistv5 – Published: 2026-07-08 21:23 – Updated: 2026-07-09 13:47
VLAI
EPSS
VEX
Title
Fluentd: Exposure of Sensitive Information via Monitor Agent API
Summary
Fluentd collects events from various data sources and writes them to files, RDBMS, NoSQL, IaaS, SaaS, Hadoop and so on. Prior to 1.19.3, Fluentd's Monitor Agent plugin in_monitor_agent exposes internal metrics and plugin information via a REST API, and responses from /api/plugins.json and related endpoints unintentionally include internal instance variables that may contain database passwords, API keys, or cloud credentials. This issue is fixed in version 1.19.3.
Severity
7.5 (High)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-306 - Missing Authentication for Critical Function
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/fluent/fluentd/security/adviso… | x_refsource_CONFIRM |
| https://github.com/fluent/fluentd/pull/5392 | x_refsource_MISC |
| https://github.com/fluent/fluentd/commit/99092151… | x_refsource_MISC |
| https://github.com/fluent/fluentd/releases/tag/v1.19.3 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-44025",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-09T13:47:05.851155Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-09T13:47:17.414Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "fluentd",
"vendor": "fluent",
"versions": [
{
"status": "affected",
"version": "\u003c 1.19.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Fluentd collects events from various data sources and writes them to files, RDBMS, NoSQL, IaaS, SaaS, Hadoop and so on. Prior to 1.19.3, Fluentd\u0027s Monitor Agent plugin in_monitor_agent exposes internal metrics and plugin information via a REST API, and responses from /api/plugins.json and related endpoints unintentionally include internal instance variables that may contain database passwords, API keys, or cloud credentials. This issue is fixed in version 1.19.3."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-306",
"description": "CWE-306: Missing Authentication for Critical Function",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-08T21:23:16.920Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/fluent/fluentd/security/advisories/GHSA-pr7j-96cj-549h",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/fluent/fluentd/security/advisories/GHSA-pr7j-96cj-549h"
},
{
"name": "https://github.com/fluent/fluentd/pull/5392",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/fluent/fluentd/pull/5392"
},
{
"name": "https://github.com/fluent/fluentd/commit/990921518971699b9a97441970674d1800e29177",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/fluent/fluentd/commit/990921518971699b9a97441970674d1800e29177"
},
{
"name": "https://github.com/fluent/fluentd/releases/tag/v1.19.3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/fluent/fluentd/releases/tag/v1.19.3"
}
],
"source": {
"advisory": "GHSA-pr7j-96cj-549h",
"discovery": "UNKNOWN"
},
"title": "Fluentd: Exposure of Sensitive Information via Monitor Agent API"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-44025",
"datePublished": "2026-07-08T21:23:16.920Z",
"dateReserved": "2026-05-04T21:24:36.506Z",
"dateUpdated": "2026-07-09T13:47:17.414Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-44024 (GCVE-0-2026-44024)
Vulnerability from cvelistv5 – Published: 2026-07-08 21:20 – Updated: 2026-07-09 13:26
VLAI
EPSS
VEX
Title
Fluentd: Remote Code Execution (RCE) via Arbitrary File Write in `${tag}` Placeholder
Summary
Fluentd collects events from various data sources and writes them to files, RDBMS, NoSQL, IaaS, SaaS, Hadoop and so on. Prior to 1.19.3, Fluentd allows dynamically constructing file paths using the ${tag} placeholder, and insufficient validation of ${tag} in file configurations such as the path parameter of the out_file plugin allows attackers sending untrusted tags containing path traversal characters to write or overwrite arbitrary files and potentially achieve remote code execution. This issue is fixed in version 1.19.3.
Severity
9.8 (Critical)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/fluent/fluentd/security/adviso… | x_refsource_CONFIRM |
| https://github.com/fluent/fluentd/pull/5391 | x_refsource_MISC |
| https://github.com/fluent/fluentd/commit/45c87a81… | x_refsource_MISC |
| https://github.com/fluent/fluentd/releases/tag/v1.19.3 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-44024",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-09T13:26:40.473209Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-09T13:26:53.271Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "fluentd",
"vendor": "fluent",
"versions": [
{
"status": "affected",
"version": "\u003c 1.19.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Fluentd collects events from various data sources and writes them to files, RDBMS, NoSQL, IaaS, SaaS, Hadoop and so on. Prior to 1.19.3, Fluentd allows dynamically constructing file paths using the ${tag} placeholder, and insufficient validation of ${tag} in file configurations such as the path parameter of the out_file plugin allows attackers sending untrusted tags containing path traversal characters to write or overwrite arbitrary files and potentially achieve remote code execution. This issue is fixed in version 1.19.3."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-08T21:20:29.598Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/fluent/fluentd/security/advisories/GHSA-44hj-4m45-frj3",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/fluent/fluentd/security/advisories/GHSA-44hj-4m45-frj3"
},
{
"name": "https://github.com/fluent/fluentd/pull/5391",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/fluent/fluentd/pull/5391"
},
{
"name": "https://github.com/fluent/fluentd/commit/45c87a81f3ac0b72b3f9dcfe8cfb5f9038f81437",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/fluent/fluentd/commit/45c87a81f3ac0b72b3f9dcfe8cfb5f9038f81437"
},
{
"name": "https://github.com/fluent/fluentd/releases/tag/v1.19.3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/fluent/fluentd/releases/tag/v1.19.3"
}
],
"source": {
"advisory": "GHSA-44hj-4m45-frj3",
"discovery": "UNKNOWN"
},
"title": "Fluentd: Remote Code Execution (RCE) via Arbitrary File Write in `${tag}` Placeholder"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-44024",
"datePublished": "2026-07-08T21:20:29.598Z",
"dateReserved": "2026-05-04T21:24:36.506Z",
"dateUpdated": "2026-07-09T13:26:53.271Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-39379 (GCVE-0-2022-39379)
Vulnerability from cvelistv5 – Published: 2022-11-02 00:00 – Updated: 2025-04-23 16:41
VLAI
EPSS
VEX
Title
Fluentd vulnerable to remote code execution due to insecure deserialization (in non-default configuration)
Summary
Fluentd collects events from various data sources and writes them to files, RDBMS, NoSQL, IaaS, SaaS, Hadoop and so on. A remote code execution (RCE) vulnerability in non-default configurations of Fluentd allows unauthenticated attackers to execute arbitrary code via specially crafted JSON payloads. Fluentd setups are only affected if the environment variable `FLUENT_OJ_OPTION_MODE` is explicitly set to `object`. Please note: The option FLUENT_OJ_OPTION_MODE was introduced in Fluentd version 1.13.2. Earlier versions of Fluentd are not affected by this vulnerability. This issue was patched in version 1.15.3. As a workaround do not use `FLUENT_OJ_OPTION_MODE=object`.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-502 - Deserialization of Untrusted Data
Assigner
References
3 references
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T12:00:44.172Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/fluent/fluentd/security/advisories/GHSA-fppq-mj76-fpj2"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/fluent/fluentd/commit/48e5b85dab1b6d4c273090d538fc11b3f2fd8135"
},
{
"name": "FEDORA-2023-6b9e2a6534",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MYD5QV66OLDHES6IKVYYM3Y3YID3VVCO/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-39379",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-23T13:55:24.123262Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-23T16:41:33.585Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "fluentd",
"vendor": "fluent",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.13.2, \u003c 1.15.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Fluentd collects events from various data sources and writes them to files, RDBMS, NoSQL, IaaS, SaaS, Hadoop and so on. A remote code execution (RCE) vulnerability in non-default configurations of Fluentd allows unauthenticated attackers to execute arbitrary code via specially crafted JSON payloads. Fluentd setups are only affected if the environment variable `FLUENT_OJ_OPTION_MODE` is explicitly set to `object`. Please note: The option FLUENT_OJ_OPTION_MODE was introduced in Fluentd version 1.13.2. Earlier versions of Fluentd are not affected by this vulnerability. This issue was patched in version 1.15.3. As a workaround do not use `FLUENT_OJ_OPTION_MODE=object`."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.1,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "CWE-502: Deserialization of Untrusted Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-01-11T00:00:00.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"url": "https://github.com/fluent/fluentd/security/advisories/GHSA-fppq-mj76-fpj2"
},
{
"url": "https://github.com/fluent/fluentd/commit/48e5b85dab1b6d4c273090d538fc11b3f2fd8135"
},
{
"name": "FEDORA-2023-6b9e2a6534",
"tags": [
"vendor-advisory"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MYD5QV66OLDHES6IKVYYM3Y3YID3VVCO/"
}
],
"source": {
"advisory": "GHSA-fppq-mj76-fpj2",
"discovery": "UNKNOWN"
},
"title": "Fluentd vulnerable to remote code execution due to insecure deserialization (in non-default configuration)"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2022-39379",
"datePublished": "2022-11-02T00:00:00.000Z",
"dateReserved": "2022-09-02T00:00:00.000Z",
"dateUpdated": "2025-04-23T16:41:33.585Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-41186 (GCVE-0-2021-41186)
Vulnerability from cvelistv5 – Published: 2021-10-29 13:40 – Updated: 2024-08-04 03:08
VLAI
EPSS
VEX
Title
ReDoS vulnerability in parser_apache2
Summary
Fluentd collects events from various data sources and writes them to files to help unify logging infrastructure. The parser_apache2 plugin in Fluentd v0.14.14 to v1.14.1 suffers from a regular expression denial of service (ReDoS) vulnerability. A broken apache log with a certain pattern of string can spend too much time in a regular expression, resulting in the potential for a DoS attack. This issue is patched in version 1.14.2 There are two workarounds available. Either don't use parser_apache2 for parsing logs (which cannot guarantee generated by Apache), or put patched version of parser_apache2.rb into /etc/fluent/plugin directory (or any other directories specified by the environment variable `FLUENT_PLUGIN` or `--plugin` option of fluentd).
Severity
5.9 (Medium)
CWE
- CWE-400 - Uncontrolled Resource Consumption
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/fluent/fluentd/security/adviso… | x_refsource_CONFIRM |
| https://github.com/fluent/fluentd/blob/master/CHA… | x_refsource_MISC |
| https://github.com/github/securitylab-vulnerabili… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T03:08:31.511Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/fluent/fluentd/security/advisories/GHSA-hwhf-64mh-r662"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/fluent/fluentd/blob/master/CHANGELOG.md#v1142"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/github/securitylab-vulnerabilities/blob/52dc4a2a828c6dc24231967c2937ad92038184a9/vendor_reports/GHSL-2021-102-fluent-fluentd.md"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "fluentd",
"vendor": "fluent",
"versions": [
{
"status": "affected",
"version": "\u003e= 0.14.14, \u003c 1.14.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Fluentd collects events from various data sources and writes them to files to help unify logging infrastructure. The parser_apache2 plugin in Fluentd v0.14.14 to v1.14.1 suffers from a regular expression denial of service (ReDoS) vulnerability. A broken apache log with a certain pattern of string can spend too much time in a regular expression, resulting in the potential for a DoS attack. This issue is patched in version 1.14.2 There are two workarounds available. Either don\u0027t use parser_apache2 for parsing logs (which cannot guarantee generated by Apache), or put patched version of parser_apache2.rb into /etc/fluent/plugin directory (or any other directories specified by the environment variable `FLUENT_PLUGIN` or `--plugin` option of fluentd)."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400: Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-10-29T13:40:10.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/fluent/fluentd/security/advisories/GHSA-hwhf-64mh-r662"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/fluent/fluentd/blob/master/CHANGELOG.md#v1142"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/github/securitylab-vulnerabilities/blob/52dc4a2a828c6dc24231967c2937ad92038184a9/vendor_reports/GHSL-2021-102-fluent-fluentd.md"
}
],
"source": {
"advisory": "GHSA-hwhf-64mh-r662",
"discovery": "UNKNOWN"
},
"title": "ReDoS vulnerability in parser_apache2",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2021-41186",
"STATE": "PUBLIC",
"TITLE": "ReDoS vulnerability in parser_apache2"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "fluentd",
"version": {
"version_data": [
{
"version_value": "\u003e= 0.14.14, \u003c 1.14.2"
}
]
}
}
]
},
"vendor_name": "fluent"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Fluentd collects events from various data sources and writes them to files to help unify logging infrastructure. The parser_apache2 plugin in Fluentd v0.14.14 to v1.14.1 suffers from a regular expression denial of service (ReDoS) vulnerability. A broken apache log with a certain pattern of string can spend too much time in a regular expression, resulting in the potential for a DoS attack. This issue is patched in version 1.14.2 There are two workarounds available. Either don\u0027t use parser_apache2 for parsing logs (which cannot guarantee generated by Apache), or put patched version of parser_apache2.rb into /etc/fluent/plugin directory (or any other directories specified by the environment variable `FLUENT_PLUGIN` or `--plugin` option of fluentd)."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-400: Uncontrolled Resource Consumption"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/fluent/fluentd/security/advisories/GHSA-hwhf-64mh-r662",
"refsource": "CONFIRM",
"url": "https://github.com/fluent/fluentd/security/advisories/GHSA-hwhf-64mh-r662"
},
{
"name": "https://github.com/fluent/fluentd/blob/master/CHANGELOG.md#v1142",
"refsource": "MISC",
"url": "https://github.com/fluent/fluentd/blob/master/CHANGELOG.md#v1142"
},
{
"name": "https://github.com/github/securitylab-vulnerabilities/blob/52dc4a2a828c6dc24231967c2937ad92038184a9/vendor_reports/GHSL-2021-102-fluent-fluentd.md",
"refsource": "MISC",
"url": "https://github.com/github/securitylab-vulnerabilities/blob/52dc4a2a828c6dc24231967c2937ad92038184a9/vendor_reports/GHSL-2021-102-fluent-fluentd.md"
}
]
},
"source": {
"advisory": "GHSA-hwhf-64mh-r662",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2021-41186",
"datePublished": "2021-10-29T13:40:10.000Z",
"dateReserved": "2021-09-15T00:00:00.000Z",
"dateUpdated": "2024-08-04T03:08:31.511Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}