CVE-2024-52979 Overview
CVE-2024-52979 is a high-severity denial-of-service vulnerability in Elastic Elasticsearch. The flaw exists in the Mustache template evaluation engine used by Elasticsearch search templates. An attacker who submits a specifically crafted search template can trigger uncontrolled resource consumption, causing the Elasticsearch node to crash. The issue is tracked as CWE-400: Uncontrolled Resource Consumption and was disclosed in Elastic Security Advisory ESA-2024-40. Elastic addressed the issue in Elasticsearch 7.17.25 and 8.16.0.
Critical Impact
A remote attacker without authentication requirements can crash Elasticsearch nodes by submitting malicious Mustache search templates, disrupting search availability across dependent applications and data pipelines.
Affected Products
- Elastic Elasticsearch versions prior to 7.17.25
- Elastic Elasticsearch 8.x versions prior to 8.16.0
- Deployments exposing the Search Template API to untrusted clients
Discovery Timeline
- 2025-05-01 - CVE-2024-52979 published to NVD
- 2025-10-02 - Last updated in NVD database
Technical Details for CVE-2024-52979
Vulnerability Analysis
Elasticsearch supports search templates rendered through the Mustache templating engine. Templates accept parameters and produce queries at execution time. The vulnerability arises when the template engine evaluates specifically crafted Mustache functions that consume disproportionate CPU and memory resources relative to the request size. Continued processing of such a template exhausts JVM resources and crashes the affected node.
The attack does not require authentication or user interaction in deployments where the Search Template API is exposed. A single malicious request can be sufficient to terminate the Elasticsearch process, and repeated requests can prevent cluster recovery by crashing newly elected nodes as they receive the same template traffic.
The vulnerability impacts availability only. Confidentiality and integrity of indexed data are not affected by this flaw. See the Elastic Security Advisory ESA-2024-40 for vendor details.
Root Cause
The Mustache template processor does not enforce sufficient resource bounds when evaluating template functions. Certain function combinations and inputs allow recursive or amplified evaluation that grows beyond safe limits. The engine lacks the timeouts, depth limits, and memory ceilings needed to terminate runaway template execution before it destabilizes the node.
Attack Vector
The attacker delivers a crafted JSON request to the Elasticsearch Search Template API endpoint, typically _search/template or _render/template. The request body contains Mustache template source or parameters that trigger the costly evaluation path. Because the attack vector is the network and complexity is low, any Elasticsearch instance reachable by untrusted clients is exposed.
No verified proof-of-concept code is published for this CVE. The vulnerability is described in prose in the vendor advisory; refer to the Elastic Security Advisory ESA-2024-40 for technical context.
Detection Methods for CVE-2024-52979
Indicators of Compromise
- Elasticsearch node JVM crashes or OutOfMemoryError entries in cluster logs without an obvious workload cause
- Sustained high CPU on data or coordinating nodes correlated with _search/template or _render/template requests
- Repeated client requests containing complex Mustache constructs from a small set of source addresses
- Cluster re-election events following template API requests from external clients
Detection Strategies
- Inspect Elasticsearch slow logs and audit logs for template requests with abnormally large bodies or long evaluation times
- Monitor request patterns to the Search Template endpoints and alert on volume spikes from individual clients
- Correlate node crash events with the last successful HTTP request handled before termination
- Track JVM garbage collection metrics and heap usage for sudden spikes preceding crashes
Monitoring Recommendations
- Enable Elasticsearch audit logging with transport.type and request body capture for the template APIs
- Forward Elasticsearch and JVM logs to a centralized SIEM for correlation across cluster nodes
- Alert on node_failure and master_not_discovered_exception events that follow inbound template traffic
- Track the Elasticsearch version reported by each node and flag any host still running pre-7.17.25 or pre-8.16.0 builds
How to Mitigate CVE-2024-52979
Immediate Actions Required
- Upgrade Elasticsearch to version 7.17.25, 8.16.0, or later as specified in the vendor advisory
- Restrict network exposure of the Elasticsearch HTTP API so only trusted application tiers can submit search templates
- Require authentication and role-based access control on all clusters and remove anonymous access to the template endpoints
- Review application code that constructs Mustache templates to ensure user input is never embedded as template source
Patch Information
Elastic released fixed builds in Elasticsearch 7.17.25 and 8.16.0. Apply the upgrade according to the procedure in the Elastic Security Advisory ESA-2024-40. For Elastic Cloud deployments, confirm the underlying cluster version has been moved to a patched release.
Workarounds
- Block external access to _search/template and _render/template at the reverse proxy or load balancer if patching cannot be performed immediately
- Use stored search templates with fixed source and accept only parameters from clients, rejecting inline template bodies
- Apply request body size limits and per-client rate limits in front of Elasticsearch to reduce blast radius
- Run Elasticsearch nodes with conservative JVM heap sizing and circuit breaker settings to contain resource spikes
# Example: restrict template endpoints at an Nginx reverse proxy
location ~* /_(search|render)/template {
deny all;
return 403;
}
# Verify the running Elasticsearch version is patched
curl -s -u elastic:$ES_PASSWORD https://localhost:9200 | jq '.version.number'
# Expected output: "7.17.25" or "8.16.0" or later
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
