CVE-2024-50609
Published: 18 February 2025
Summary
CVE-2024-50609 is a high-severity NULL Pointer Dereference (CWE-476) vulnerability in Treasuredata Fluent Bit. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked in the top 28.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates CVE-2024-50609 by requiring timely remediation through patching the NULL pointer dereference in Fluent Bit's OpenTelemetry input plugin.
Requires validation of OpenTelemetry input payloads, including Content-Length headers, to block zero-length requests that trigger the crash.
Provides denial-of-service protections such as rate limiting on the exposed OpenTelemetry endpoint to limit the impact of crash-inducing packets.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE-2024-50609 enables remote denial of service by crashing the Fluent Bit OpenTelemetry input plugin via a packet with Content-Length: 0, exploiting a NULL pointer dereference (T1499.004: Application or System Exploitation).
NVD Description
An issue was discovered in Fluent Bit 3.1.9. When the OpenTelemetry input plugin is running and listening on an IP address and port, one can send a packet with Content-Length: 0 and it crashes the server. Improper handling of the…
more
case when Content-Length is 0 allows a user (with access to the endpoint) to perform a remote Denial of service attack. The crash happens because of a NULL pointer dereference when 0 (from the Content-Length) is passed to the function cfl_sds_len, which in turn tries to cast a NULL pointer into struct cfl_sds. This is related to process_payload_traces_proto_ng() at opentelemetry_prot.c.
Deeper analysisAI
CVE-2024-50609 is a vulnerability discovered in Fluent Bit version 3.1.9, specifically affecting the OpenTelemetry input plugin. When the plugin is configured to listen on an IP address and port, sending a specially crafted packet with a Content-Length header set to 0 triggers a server crash. This stems from improper handling of zero-length Content-Length values, leading to a NULL pointer dereference in the cfl_sds_len function, which attempts to cast a NULL pointer to a struct cfl_sds. The issue occurs in the process_payload_traces_proto_ng() function within opentelemetry_prot.c and is classified under CWE-476 (NULL Pointer Dereference).
The vulnerability enables a remote denial-of-service attack against any attacker who can reach the exposed OpenTelemetry endpoint over the network. Exploitation requires no privileges, authentication, or user interaction, with low complexity, as confirmed by the CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). Successful exploitation crashes the Fluent Bit server, disrupting logging and telemetry processing without impacting confidentiality or integrity.
Mitigation details are available in official advisories and patches from the Fluent Bit project. Security practitioners should consult the announcement at https://fluentbit.io/announcements/, release notes at https://github.com/fluent/fluent-bit/releases, and additional analysis at https://www.ebryx.com/blogs/exploring-cve-2024-50608-and-cve-2024-50609 for upgrade instructions and workarounds. The CVE was published on 2025-02-18.
Details
- CWE(s)