BIT-fluent-bit-2024-50609

BIT-fluent-bit-2024-50609 PUBLISHED CVSS 7.5 HIGH

An issue was discovered in Fluent Bit 3.1.9. When the OpenTelemetry input plugin is running and listening on an IP address and port, one can send a packet with Content-Length: 0 and it crashes the server. Improper handling of the case when Content-Length is 0 allows a user (with access to the endpoint) to perform a remote Denial of service attack. The crash happens because of a NULL pointer dereference when 0 (from the Content-Length) is passed to the function cfl_sds_len, which in turn tries to cast a NULL pointer into struct cfl_sds. This is related to process_payload_traces_proto_ng() at opentelemetry_prot.c.

Risk Scores

CVSS v3.1

7.5

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Affected Products

Vendor	Product	Versions
Bitnami	fluent-bit	3.1.9, 3.1.9, 3.1.9

Timeline

Apr 23, 2025 CVE Published
Apr 23, 2025 CVE Updated

References

https://fluentbit.io/announcements/ url
https://github.com/fluent/fluent-bit/releases url
https://nvd.nist.gov/vuln/detail/CVE-2024-50609 url
https://www.ebryx.com/blogs/exploring-cve-2024-50608-and-cve-2024-50609 url

Open in Interactive Console →