CVE-2024-50608 Overview
CVE-2024-50608 is a NULL pointer dereference vulnerability in Fluent Bit 3.1.9, a widely deployed open-source log processor and forwarder maintained by Treasure Data. The flaw resides in the Prometheus Remote Write input plugin and allows unauthenticated remote attackers to crash the Fluent Bit server. Sending an HTTP request with a Content-Length: 0 header to the listening endpoint triggers the crash. The bug originates in process_payload_metrics_ng() within prom_rw_prot.c, which passes a NULL pointer to cfl_sds_len. This vulnerability is tracked under [CWE-476] (NULL Pointer Dereference).
Critical Impact
Remote unauthenticated attackers can crash Fluent Bit instances exposing the Prometheus Remote Write endpoint, disrupting log and metric pipelines across observability infrastructure.
Affected Products
- Treasure Data Fluent Bit 3.1.9
- Deployments running the Prometheus Remote Write input plugin
- Container and Kubernetes environments using affected Fluent Bit images
Discovery Timeline
- 2025-02-18 - CVE-2024-50608 published to NVD
- 2025-04-22 - Last updated in NVD database
Technical Details for CVE-2024-50608
Vulnerability Analysis
Fluent Bit exposes a Prometheus Remote Write input plugin that accepts HTTP POST payloads containing metric data. The plugin parses inbound requests through process_payload_metrics_ng() in prom_rw_prot.c. When this handler receives a request with Content-Length: 0, it fails to validate the empty payload before processing.
The handler passes the zero-length buffer to cfl_sds_len(), a helper that expects a valid cfl_sds string structure. The function casts the NULL input to struct cfl_sds and dereferences it to retrieve the length field. This dereference operates on memory at or near address zero, triggering a segmentation fault that terminates the Fluent Bit process.
Because Fluent Bit typically runs as a singleton log collector or sidecar, a crash interrupts log shipping, metric ingestion, and observability flows for every workload it serves. Attackers need only network reachability to the listening port.
Root Cause
The root cause is missing input validation on the HTTP Content-Length header inside the Prometheus Remote Write parser. The code path assumes a positive payload size and does not branch on the zero-length case before invoking cfl_sds_len on the payload pointer. The cast-and-dereference pattern guarantees a NULL pointer dereference whenever attackers control the header value.
Attack Vector
Exploitation requires only network access to the Prometheus Remote Write listener. An attacker sends a single crafted HTTP POST request with Content-Length: 0 and any HTTP method accepted by the endpoint. No authentication, credentials, or user interaction are required. The request crashes the process immediately, producing a denial of service against the Fluent Bit instance. Repeated requests after a supervisor restarts the process can sustain the outage indefinitely.
A minimal exploitation pattern resembles a standard curl POST to the listener URI with an empty body and explicit zero content length. Technical analysis is available in the Ebryx Blog CVE Analysis.
Detection Methods for CVE-2024-50608
Indicators of Compromise
- Unexpected termination or restart events for the fluent-bit process on hosts exposing the Prometheus Remote Write input.
- HTTP requests in upstream proxy or load balancer logs containing Content-Length: 0 directed at Fluent Bit listener ports.
- Gaps in log or metric ingestion correlated with crash timestamps in container orchestrator events.
Detection Strategies
- Monitor Fluent Bit process exit codes and segmentation fault signals using host telemetry and container runtime events.
- Inspect web application firewall and reverse proxy logs for inbound POST requests with zero-length bodies targeting Fluent Bit endpoints.
- Correlate sudden drops in observability pipeline throughput with process restart events to surface DoS attempts.
Monitoring Recommendations
- Alert on repeated Fluent Bit restarts within short time windows on any host running version 3.1.9.
- Track HTTP request patterns to the Prometheus Remote Write port and flag anomalous spikes from unexpected source addresses.
- Enable verbose logging on Fluent Bit during triage to capture request headers preceding crashes.
How to Mitigate CVE-2024-50608
Immediate Actions Required
- Upgrade Fluent Bit to a fixed release published after 3.1.9 as documented in the Fluent Bit Release Notes.
- Restrict network access to the Prometheus Remote Write input port using firewall rules or network policies until the upgrade is applied.
- Audit all Fluent Bit deployments, including sidecars and DaemonSets, to identify instances running the vulnerable version.
Patch Information
Treasure Data and the Fluent Bit maintainers released patched versions addressing the NULL pointer dereference in process_payload_metrics_ng(). Refer to Fluent Bit Announcements and the official GitHub release notes for the specific fixed version applicable to your deployment.
Workarounds
- Disable the Prometheus Remote Write input plugin in fluent-bit.conf if it is not required.
- Place an authenticating reverse proxy in front of the Fluent Bit listener and reject HTTP requests with Content-Length: 0.
- Apply network segmentation so only trusted metric producers can reach the listener port.
# Configuration example: disable the Prometheus Remote Write input until patched
# fluent-bit.conf
[SERVICE]
Flush 1
Log_Level info
# Comment out or remove the vulnerable input block
# [INPUT]
# Name prometheus_remote_write
# Listen 0.0.0.0
# Port 8080
# Uri /api/v1/write
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
