GHSA-j9cw-hwqf-85w7: Fluentd is Vulnerable to Denial of Service (DoS) via Gzip Decompression Bomb in `in_http` and `in_forward`
Fluentd versions prior to 1.19.3 have a vulnerability in the `in_http` and `in_forward` plugins where gzip-compressed data decompression is not limited in size. This allows an attacker to send a maliciously crafted compressed payload that expands to an excessive size in memory, causing a denial of service (DoS) via memory exhaustion. The attack can cause the Fluentd process to be killed by the operating system, disrupting log collection and forwarding.
AI Analysis
Technical Summary
Fluentd's `in_http` and `in_forward` plugins accept gzip-compressed data and enforce size limits on compressed payloads but do not limit the size of decompressed data. An attacker can exploit this by sending a specially crafted compressed payload that decompresses to a very large size, bypassing the intended payload size limits. This leads to rapid memory consumption and potential process termination due to out-of-memory conditions, resulting in denial of service. The vulnerability affects Fluentd versions before 1.19.3.
Potential Impact
The vulnerability enables denial of service through memory exhaustion caused by decompressing maliciously crafted gzip payloads. This can cause the Fluentd process to be terminated by the operating system, resulting in loss of logging and forwarding functionality on the affected system.
Mitigation Recommendations
A fixed version, Fluentd 1.19.3, is available and should be applied to remediate this vulnerability. If immediate upgrade is not possible, restrict network access to Fluentd input ports (e.g., 9880 for `in_http` and 24224 for `in_forward`) to trusted networks using firewall rules. Additionally, placing a reverse proxy such as Nginx in front of Fluentd to handle gzip decompression and enforce strict limits on both compressed and decompressed payload sizes is recommended.
GHSA-j9cw-hwqf-85w7: Fluentd is Vulnerable to Denial of Service (DoS) via Gzip Decompression Bomb in `in_http` and `in_forward`
Description
Fluentd versions prior to 1.19.3 have a vulnerability in the `in_http` and `in_forward` plugins where gzip-compressed data decompression is not limited in size. This allows an attacker to send a maliciously crafted compressed payload that expands to an excessive size in memory, causing a denial of service (DoS) via memory exhaustion. The attack can cause the Fluentd process to be killed by the operating system, disrupting log collection and forwarding.
CVSS v3.1
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Fluentd's `in_http` and `in_forward` plugins accept gzip-compressed data and enforce size limits on compressed payloads but do not limit the size of decompressed data. An attacker can exploit this by sending a specially crafted compressed payload that decompresses to a very large size, bypassing the intended payload size limits. This leads to rapid memory consumption and potential process termination due to out-of-memory conditions, resulting in denial of service. The vulnerability affects Fluentd versions before 1.19.3.
Potential Impact
The vulnerability enables denial of service through memory exhaustion caused by decompressing maliciously crafted gzip payloads. This can cause the Fluentd process to be terminated by the operating system, resulting in loss of logging and forwarding functionality on the affected system.
Mitigation Recommendations
A fixed version, Fluentd 1.19.3, is available and should be applied to remediate this vulnerability. If immediate upgrade is not possible, restrict network access to Fluentd input ports (e.g., 9880 for `in_http` and 24224 for `in_forward`) to trusted networks using firewall rules. Additionally, placing a reverse proxy such as Nginx in front of Fluentd to handle gzip decompression and enforce strict limits on both compressed and decompressed payload sizes is recommended.
Technical Details
- Gcve Source
- db.gcve.eu
- Osv Id
- GHSA-j9cw-hwqf-85w7
- Osv Schema Version
- 1.4.0
- Aliases
- ["CVE-2026-44160"]
- Ecosystems
- ["RubyGems"]
- Database Specific Severity
- HIGH
- Cvss Version
- 3.1
Threat ID: 6a3ef79627e9c79719ff8e7c
Added to database: 06/26/2026, 22:05:10 UTC
Last enriched: 06/26/2026, 22:19:36 UTC
Last updated: 06/26/2026, 22:19:36 UTC
Views: 2
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.