CVE-2024-52981 Overview
CVE-2024-52981 is a denial-of-service vulnerability in Elastic Elasticsearch. The flaw stems from unbounded recursion when parsing Well-Known Text (WKT) formatted geometry strings containing deeply nested GeometryCollection objects. An attacker submitting a crafted WKT payload to a vulnerable endpoint can trigger a stack overflow in the Java Virtual Machine, terminating the Elasticsearch process. The issue affects the geo-spatial parsing logic and falls under uncontrolled resource consumption [CWE-400]. Elastic addressed the issue in Elasticsearch 7.17.24 and 8.15.1 through security advisory ESA-2024-37.
Critical Impact
Unauthenticated network attackers can crash Elasticsearch nodes by submitting WKT payloads with deeply nested GeometryCollection structures, disrupting search and indexing availability.
Affected Products
- Elastic Elasticsearch versions prior to 7.17.24
- Elastic Elasticsearch 8.x versions prior to 8.15.1
- Deployments exposing geo-spatial query or ingest endpoints that accept WKT input
Discovery Timeline
- 2025-04-08 - CVE-2024-52981 published to the National Vulnerability Database
- 2025-10-02 - Last updated in NVD database
Technical Details for CVE-2024-52981
Vulnerability Analysis
The vulnerability resides in Elasticsearch's WKT geometry parser. WKT is a text markup language used to represent vector geometry objects, including points, polygons, and GeometryCollection containers that hold other geometries. The parser processes nested GeometryCollection entries recursively, with each level of nesting consuming a stack frame.
When an attacker submits a WKT string containing thousands of nested GeometryCollection tokens, recursion depth exceeds the JVM thread stack size. The thread terminates with a StackOverflowError, and depending on which thread services the request, the failure can cascade into node instability and request handler crashes. Repeated requests sustain a denial-of-service condition against the cluster.
The attack requires no authentication when geo-spatial endpoints are network-reachable and accept user-supplied geometry input. It also requires no user interaction, making automated exploitation straightforward against exposed clusters.
Root Cause
The root cause is missing recursion-depth enforcement in the WKT parser. The parsing routine that handles GeometryCollection does not validate or cap nesting depth before descending into child geometries. This is a classic uncontrolled resource consumption flaw [CWE-400] applied to the call stack rather than heap memory.
Attack Vector
Exploitation requires network access to any Elasticsearch API that accepts WKT input, such as geo_shape field ingestion, geo_shape queries, or document indexing into mapped geometry fields. An attacker sends a single HTTP request with a payload constructed of repeated GEOMETRYCOLLECTION( tokens followed by matched closing parentheses. The deeper the nesting, the more reliable the crash.
The vulnerability is described in prose because no public proof-of-concept code is available. See the Elastic Security Advisory ESA-2024-37 for vendor technical details.
Detection Methods for CVE-2024-52981
Indicators of Compromise
- Unexpected Elasticsearch node restarts or StackOverflowError entries in Elasticsearch JVM logs
- HTTP request bodies containing high counts of the literal token GEOMETRYCOLLECTION against _search, _bulk, or document index endpoints
- Spikes in 5xx responses or dropped connections from geo-spatial query endpoints
Detection Strategies
- Inspect Elasticsearch logs for java.lang.StackOverflowError stack traces referencing WKT or geometry parsing classes
- Apply web application firewall (WAF) rules that flag request bodies with excessive repetition of GEOMETRYCOLLECTION tokens or payload sizes inconsistent with legitimate geo-spatial queries
- Correlate node crash events with preceding HTTP requests to geo-shape endpoints to identify malicious payloads
Monitoring Recommendations
- Forward Elasticsearch JVM and slowlog output to a centralized analytics platform for alerting on stack overflow signatures
- Monitor cluster health transitions to red or yellow states alongside ingest request patterns
- Track request payload entropy and length distributions for endpoints that accept WKT input
How to Mitigate CVE-2024-52981
Immediate Actions Required
- Upgrade Elasticsearch to version 7.17.24, 8.15.1, or later as published in advisory ESA-2024-37
- Restrict network exposure of Elasticsearch APIs to trusted clients using firewalls or service mesh policies
- Require authentication and role-based access control on all ingest and search endpoints
- Audit application code that forwards user-supplied WKT to Elasticsearch and add server-side input length limits
Patch Information
Elastic released fixes in Elasticsearch 7.17.24 and 8.15.1. Refer to the Elastic Security Advisory ESA-2024-37 for download links and release notes. Apply patches to all data, master, and ingest nodes following Elastic's rolling upgrade procedure.
Workarounds
- Place a reverse proxy or WAF in front of Elasticsearch and reject request bodies exceeding a defined size threshold
- Validate and reject WKT payloads containing more than a small fixed count of GEOMETRYCOLLECTION tokens before forwarding to Elasticsearch
- Disable or restrict access to geo_shape mappings and queries if they are not required by the application
# Example NGINX limit to cap request body size in front of Elasticsearch
client_max_body_size 1m;
# Example iptables rule restricting Elasticsearch HTTP port to an allowlist
iptables -A INPUT -p tcp --dport 9200 -s 10.0.0.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 9200 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
