CVE-2024-23450 Overview
A denial of service flaw exists in Elastic Elasticsearch where processing a document through a deeply nested ingest pipeline can crash the affected node. An unauthenticated attacker with network access to an ingest node can trigger node failure by submitting documents that traverse excessive pipeline nesting. The flaw is tracked under CWE-400: Uncontrolled Resource Consumption and impacts cluster availability without exposing data confidentiality or integrity.
Elastic addressed the issue in Elasticsearch 7.17.19 and 8.13.0. The EPSS score is 1.035% at the 77.6th percentile, indicating moderate observed exploit-likelihood signal relative to other CVEs.
Critical Impact
A network-reachable attacker can crash Elasticsearch ingest nodes by submitting documents to a deeply nested pipeline, disrupting search and ingestion availability.
Affected Products
- Elastic Elasticsearch versions prior to 7.17.19
- Elastic Elasticsearch 8.x versions prior to 8.13.0
- NetApp products bundling affected Elasticsearch components (see NetApp advisory)
Discovery Timeline
- 2024-03-27 - CVE-2024-23450 published to NVD
- 2025-02-04 - Last updated in NVD database
Technical Details for CVE-2024-23450
Vulnerability Analysis
Elasticsearch ingest pipelines transform documents before indexing. Pipelines can reference other pipelines through the pipeline processor, allowing chained processing logic. The flaw stems from unbounded recursion or stack growth when a document is routed through a deeply nested chain of pipelines on an ingest node.
When the nesting depth exceeds what the runtime can safely handle, the ingest node exhausts its resources and terminates. The result is a denial of service against the ingestion path, which in turn degrades the ability of the cluster to index, enrich, and search incoming data. The vulnerability does not require authentication where ingest endpoints are network-exposed without access controls.
Root Cause
The root cause is uncontrolled resource consumption [CWE-400] in the ingest pipeline execution logic. Elasticsearch did not enforce a sufficient bound on pipeline-to-pipeline recursion, allowing a single document to drive the node into a fatal state. The fix introduces depth limits and safer handling of nested pipeline references.
Attack Vector
Exploitation requires the ability to submit a document to an ingest pipeline that recursively references additional pipelines. The attacker crafts or causes the creation of a pipeline chain with excessive depth, then sends an indexing request that triggers traversal of the chain. The targeted ingest node crashes, and repeat requests can prevent recovery and propagate impact across other ingest-capable nodes.
No verified public proof-of-concept is referenced in the advisory. For technical detail on the affected versions and fix, refer to the Elastic Security Advisory ESA-2024-06 and the NetApp Security Advisory.
Detection Methods for CVE-2024-23450
Indicators of Compromise
- Unexpected Elasticsearch node crashes or OutOfMemoryError and StackOverflowError entries in node logs correlated with ingest activity
- Spikes in _ingest/pipeline/_simulate or indexing requests that target pipelines referencing other pipelines
- Repeated cluster state changes showing ingest nodes leaving and rejoining the cluster
Detection Strategies
- Audit pipeline definitions for pipeline processors that reference other pipelines and flag chains exceeding a safe depth
- Correlate Elasticsearch node restart events with the source IPs and API keys submitting indexing requests immediately prior
- Alert on abnormal volumes of indexing requests originating from a single client targeting ingest endpoints
Monitoring Recommendations
- Forward Elasticsearch node logs, audit logs, and JVM diagnostics to a centralized analytics platform for crash pattern analysis
- Monitor cluster health, ingest pipeline statistics via _nodes/stats/ingest, and node uptime metrics
- Track the version banner of every Elasticsearch node to identify hosts still running pre-7.17.19 or pre-8.13.0 builds
How to Mitigate CVE-2024-23450
Immediate Actions Required
- Upgrade Elasticsearch to 7.17.19, 8.13.0, or later as published in ESA-2024-06
- Restrict network access to ingest nodes and indexing endpoints using firewall rules and reverse proxy authentication
- Review existing ingest pipeline definitions and remove unnecessary nested pipeline processor references
Patch Information
Elastic released fixed builds in Elasticsearch 7.17.19 and 8.13.0. Operators running NetApp products that embed Elasticsearch should consult the NetApp Security Advisory NTAP-20240517-0010 for vendor-specific update guidance. Apply patches across all data, master, and ingest-capable nodes, then perform a rolling restart to complete the upgrade.
Workarounds
- Disable ingest capability on internet-exposed nodes by setting node.roles to exclude ingest where possible
- Enforce role-based access control so only trusted clients can create or modify ingest pipelines
- Place Elasticsearch behind an authenticated gateway that validates indexing payloads and rate-limits clients
# Configuration example: limit ingest role and enforce authentication
# elasticsearch.yml
node.roles: [ "master", "data" ]
xpack.security.enabled: true
xpack.security.authc.api_key.enabled: true
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
