fluent-plugin-opentelemetry CVE-2026-44163
MEDIUM
GHSA-2jc5-xhx8-qj6h
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
OOM kill terminates the entire Fluentd process (complete availability loss), warranting A:H over the scored A:L; all other metrics align with the provided vector.
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Lifecycle Timeline
2DescriptionGitHub Advisory
The fluent-plugin-opentelemetry plugin (specifically the in_opentelemetry HTTP input) lacked strict size limits on incoming requests. It was discovered that the plugin read the entire request body and decompressed payloads into memory without enforcing maximum size thresholds.
If the OpenTelemetry ingestion endpoint is exposed to untrusted networks, an attacker can send an excessively large HTTP request or a maliciously crafted, highly compressed payload. When the plugin attempts to read or decompress this payload, it will expand to an excessive size and it will consume significant system resources.
Impact
This vulnerability allows for a Denial of Service (DoS) attack via memory exhaustion. The rapid memory consumption during decompression can easily lead to an Out-of-Memory kill of the Fluentd process by the operating system. This results in the disruption of all log collection and forwarding capabilities on the affected node.
Patches
v0.5.3
Workarounds
If an immediate upgrade is not possible, users are strongly advised to apply the following mitigations:
- Restrict Network Access
- Ensure that the OpenTelemetry ingestion ports (default
4318) are deployed within a closed, trusted network. Use firewall rules (e.g., iptables, AWS Security Groups) to block access from untrusted networks or instances.
- Use a Reverse Proxy
- If you must expose HTTP ingestion to external sources, place a robust reverse proxy (such as Nginx) in front of Fluentd. Configure the proxy to handle the gzip decompression and enforce strict limits on both compressed and uncompressed body sizes before passing the traffic to Fluentd.
AnalysisAI
Memory exhaustion in fluent-plugin-opentelemetry versions 0.5.2 and earlier allows unauthenticated remote attackers to crash the Fluentd process by sending an oversized HTTP request body or a decompression bomb to the in_opentelemetry HTTP input endpoint (default port 4318). The plugin reads and decompresses the entire payload into memory without enforcing size thresholds, enabling an OOM kill of Fluentd and complete disruption of log collection and forwarding on the affected node. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires network-level access to the `in_opentelemetry` HTTP ingestion port (default 4318) from an untrusted source; the CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms unauthenticated remote exploitation with no special configuration required beyond the port being reachable. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The NVD-assigned CVSS 3.1 score of 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) underrepresents the actual impact: the advisory explicitly states that decompression can produce an OOM kill of the Fluentd process, which constitutes complete, not partial, availability loss of the logging pipeline - an A:H outcome in practice. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An unauthenticated attacker with network access to port 4318 sends a small gzip-compressed HTTP POST to the `/v1/logs` or `/v1/traces` endpoint, where the compressed body (a few kilobytes) is constructed to expand to gigabytes upon decompression - a classic decompression bomb. The Fluentd plugin decompresses the payload into memory without bounds, rapidly exhausting available system RAM until the OS OOM killer terminates the Fluentd process, halting all log collection and forwarding on the affected node. … |
| Remediation | Upgrade fluent-plugin-opentelemetry to version 0.5.3, which is confirmed as the patched release per advisory GHSA-2jc5-xhx8-qj6h and commit ce6c1f2a7741592c8a79afbe75fded9e8ebfa92d (https://github.com/fluent-plugins-nursery/fluent-plugin-opentelemetry/commit/ce6c1f2a7741592c8a79afbe75fded9e8ebfa92d). … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
The ngx_http_parse_chunked function in http/ngx_http_parse.c in nginx 1.3.9 through 1.4.0 allows remote attackers to cau
A critical vulnerability in Kubernetes ingress-nginx controller allows unauthenticated attackers with pod network access
nginx 0.8.41 through 1.4.3 and 1.5.x before 1.5.7 allows remote attackers to bypass intended restrictions via an unescap
An issue was discovered on GL.iNet devices before version 4.5.0. Rated critical severity (CVSS 9.8), this vulnerability
Nginx versions since 0.5.6 up to and including 1.13.2 are vulnerable to integer overflow vulnerability in nginx range fi
The resolver in nginx before 1.8.1 and 1.9.x before 1.9.10 allows remote attackers to cause a denial of service (invalid
Kubernetes ingress-nginx contains a configuration injection vulnerability via the mirror-target and mirror-host Ingress
A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-url` Ingres
A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-tls-match-c
Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. Rated critical severity (CVSS 9.8
The STARTTLS implementation in mail/ngx_mail_smtp_handler.c in the SMTP proxy in nginx 1.5.x and 1.6.x before 1.6.1 and
Heap buffer overflow in NGINX Plus and NGINX Open Source ngx_http_rewrite_module allows remote attackers to crash worker
Same technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today