CVE-2024-50608
Published: 18 February 2025
Summary
CVE-2024-50608 is a high-severity NULL Pointer Dereference (CWE-476) vulnerability in Treasuredata Fluent Bit. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked in the top 23.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-11 (Error Handling).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Remediating the NULL pointer dereference flaw in Fluent Bit's Prometheus Remote Write plugin via timely vendor patches directly prevents exploitation crashes from Content-Length: 0 packets.
Secure error handling in the process_payload_metrics_ng function avoids NULL pointer dereferences and crashes when processing zero-length payloads.
Validating Content-Length headers and payloads in incoming Prometheus Remote Write packets prevents malformed inputs from triggering the dereference vulnerability.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability in Fluent Bit's Prometheus Remote Write input plugin allows remote attackers with endpoint access to crash the service via a Content-Length: 0 packet, causing a NULL pointer dereference and enabling endpoint denial of service through application exploitation.
NVD Description
An issue was discovered in Fluent Bit 3.1.9. When the Prometheus Remote Write input plugin is running and listening on an IP address and port, one can send a packet with Content-Length: 0 and it crashes the server. Improper handling…
more
of the case when Content-Length is 0 allows a user (with access to the endpoint) to perform a remote Denial of service attack. The crash happens because of a NULL pointer dereference when 0 (from the Content-Length) is passed to the function cfl_sds_len, which in turn tries to cast a NULL pointer into struct cfl_sds. This is related to process_payload_metrics_ng() at prom_rw_prot.c.
Deeper analysisAI
CVE-2024-50608 is a NULL pointer dereference vulnerability (CWE-476) in Fluent Bit version 3.1.9, specifically within the Prometheus Remote Write input plugin. When the plugin is configured to listen on an IP address and port, it improperly handles incoming packets with a Content-Length header set to 0. This triggers a crash due to passing a zero length to the cfl_sds_len function, which attempts to cast a NULL pointer to a struct cfl_sds, occurring in the process_payload_metrics_ng function in prom_rw_prot.c.
Any unauthenticated attacker with network access to the exposed endpoint can exploit this vulnerability remotely over the network with low complexity and no user interaction required. Successful exploitation results in a denial-of-service condition by crashing the Fluent Bit server, with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), reflecting high availability impact but no effects on confidentiality or integrity.
Official mitigation details are provided in the Fluent Bit announcements at https://fluentbit.io/announcements/, the project's GitHub releases page at https://github.com/fluent/fluent-bit/releases, and an analysis blog at https://www.ebryx.com/blogs/exploring-cve-2024-50608-and-cve-2024-50609. The vulnerability was published on 2025-02-18.
Details
- CWE(s)