Cyber Resilience

CVE-2024-50609

HighPublic PoC

Published: 18 February 2025

Published
18 February 2025
Modified
22 April 2025
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0068 72.1th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-50609 is a high-severity NULL Pointer Dereference (CWE-476) vulnerability in Treasuredata Fluent Bit. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked in the top 27.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2024-50609 is a vulnerability discovered in Fluent Bit version 3.1.9, specifically affecting the OpenTelemetry input plugin. When the plugin is configured to listen on an IP address and port, sending a specially crafted packet with a Content-Length header set to 0 triggers a server crash. This stems from improper handling of zero-length Content-Length values, leading to a NULL pointer dereference in the cfl_sds_len function, which attempts to cast a NULL pointer to a struct cfl_sds. The issue occurs in the process_payload_traces_proto_ng() function within opentelemetry_prot.c and is classified under CWE-476 (NULL Pointer Dereference).

The vulnerability enables a remote denial-of-service attack against any attacker who can reach the exposed OpenTelemetry endpoint over the network. Exploitation requires no privileges, authentication, or user interaction, with low complexity, as confirmed by the CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). Successful exploitation crashes the Fluent Bit server, disrupting logging and telemetry processing without impacting confidentiality or integrity.

Mitigation details are available in official advisories and patches from the Fluent Bit project. Security practitioners should consult the announcement at https://fluentbit.io/announcements/, release notes at https://github.com/fluent/fluent-bit/releases, and additional analysis at https://www.ebryx.com/blogs/exploring-cve-2024-50608-and-cve-2024-50609 for upgrade instructions and workarounds. The CVE was published on 2025-02-18.

EU & UK References

Vulnerability details

An issue was discovered in Fluent Bit 3.1.9. When the OpenTelemetry input plugin is running and listening on an IP address and port, one can send a packet with Content-Length: 0 and it crashes the server. Improper handling of the…

more

case when Content-Length is 0 allows a user (with access to the endpoint) to perform a remote Denial of service attack. The crash happens because of a NULL pointer dereference when 0 (from the Content-Length) is passed to the function cfl_sds_len, which in turn tries to cast a NULL pointer into struct cfl_sds. This is related to process_payload_traces_proto_ng() at opentelemetry_prot.c.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

CVE-2024-50609 enables remote denial of service by crashing the Fluent Bit OpenTelemetry input plugin via a packet with Content-Length: 0, exploiting a NULL pointer dereference (T1499.004: Application or System Exploitation).

CVEs Like This One

CVE-2024-50608Same product: Treasuredata Fluent Bit
CVE-2025-12977Same product: Treasuredata Fluent Bit
CVE-2025-12970Same product: Treasuredata Fluent Bit
CVE-2026-40413Shared CWE-476
CVE-2025-57155Shared CWE-476
CVE-2026-28390Shared CWE-476
CVE-2026-23952Shared CWE-476
CVE-2025-57156Shared CWE-476
CVE-2025-63647Shared CWE-476
CVE-2025-69624Shared CWE-476

Affected Assets

treasuredata
fluent bit
3.1.9

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates CVE-2024-50609 by requiring timely remediation through patching the NULL pointer dereference in Fluent Bit's OpenTelemetry input plugin.

prevent

Requires validation of OpenTelemetry input payloads, including Content-Length headers, to block zero-length requests that trigger the crash.

prevent

Provides denial-of-service protections such as rate limiting on the exposed OpenTelemetry endpoint to limit the impact of crash-inducing packets.

References