CVE-2024-58259 Overview
CVE-2024-58259 is a denial of service vulnerability in Rancher Manager. The application fails to enforce request body size limits on specific public (unauthenticated) and authenticated API endpoints. An attacker can submit excessively large HTTP payloads that Rancher Manager loads entirely into memory during processing. This memory exhaustion behavior causes the Rancher Manager process to become unresponsive or crash, disrupting Kubernetes cluster management operations.
The vulnerability is tracked under CWE-770: Allocation of Resources Without Limits or Throttling. Because affected endpoints include unauthenticated routes, exploitation requires no credentials and only network access to the management interface.
Critical Impact
Unauthenticated network attackers can exhaust Rancher Manager memory and trigger a denial of service that disrupts management of all downstream Kubernetes clusters.
Affected Products
- Rancher Manager (multi-cluster Kubernetes management platform from SUSE)
- Refer to the GitHub Security Advisory GHSA-4h45-jpvh-6p5j for fixed version ranges
- Refer to the SUSE Bugzilla entry for CVE-2024-58259 for distribution-specific package status
Discovery Timeline
- 2025-09-02 - CVE-2024-58259 published to the National Vulnerability Database
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2024-58259
Vulnerability Analysis
Rancher Manager exposes HTTP API endpoints used for cluster provisioning, authentication, and management workflows. Several of these endpoints, including some that accept unauthenticated requests, do not impose a maximum size on the HTTP request body. When a client submits a request, Rancher Manager reads the entire payload into memory before performing any validation or parsing.
An attacker can send a single oversized POST or PUT request, or a series of such requests in parallel, to consume all available heap memory on the Rancher Manager host. Because the loading occurs prior to authentication on public endpoints, no credentials are required to reach the vulnerable code path. The result is an out-of-memory condition that terminates or stalls the management plane.
Root Cause
The root cause is the absence of an enforced Content-Length ceiling and missing streaming body limits on the affected handlers. The HTTP request processing layer accepts the full payload before any middleware can reject it based on size, violating safe resource allocation practices described in CWE-770.
Attack Vector
The attack is delivered over the network against the Rancher Manager API. An attacker crafts an HTTP request with a payload sized in the hundreds of megabytes or larger and submits it to a vulnerable endpoint. Repeating the request, or sending it concurrently, amplifies memory pressure until the process is killed by the OS out-of-memory handler or becomes unresponsive to legitimate API traffic.
No authentication is required for the public endpoints, no user interaction is involved, and exploitation requires no specialized tooling beyond a standard HTTP client. See the GitHub Security Advisory for technical specifics on the affected routes.
Detection Methods for CVE-2024-58259
Indicators of Compromise
- HTTP requests to Rancher Manager API endpoints with Content-Length values that are unusually large (for example, exceeding tens of megabytes) where small JSON bodies are expected.
- Sudden spikes in Rancher Manager process memory consumption immediately followed by OOM kills or container restarts.
- Repeated 5xx responses, gateway timeouts, or pod CrashLoopBackOff events affecting the rancher deployment.
Detection Strategies
- Inspect reverse proxy and ingress access logs (NGINX, Traefik, cloud load balancers) for inbound requests with abnormally large request bodies targeting Rancher API paths.
- Correlate Rancher pod restart events with preceding traffic patterns from a single source IP or small set of IPs.
- Alert when unauthenticated endpoints receive bodies above an expected threshold for normal API calls.
Monitoring Recommendations
- Track memory and CPU utilization of Rancher Manager pods with Prometheus or an equivalent metrics pipeline and alert on sustained pressure.
- Monitor ingress controller metrics for elevated request_size_bytes percentiles on Rancher hostnames.
- Forward Rancher and ingress logs to a centralized analytics platform for retroactive investigation of DoS events.
How to Mitigate CVE-2024-58259
Immediate Actions Required
- Upgrade Rancher Manager to a fixed release as listed in the GitHub Security Advisory GHSA-4h45-jpvh-6p5j.
- Restrict network exposure of the Rancher Manager API so that only trusted networks and administrators can reach it.
- Enforce request body size limits at the ingress or reverse proxy layer in front of Rancher Manager.
Patch Information
SUSE has published fix information in the SUSE Bugzilla entry for CVE-2024-58259 and in the upstream Rancher GitHub Security Advisory. Apply the vendor-supplied patched versions to enforce request body size limits on the affected endpoints.
Workarounds
- Place Rancher Manager behind an ingress controller or WAF configured to reject requests exceeding a sensible body size (for example, 1 MB to 10 MB depending on workflow requirements).
- Rate-limit unauthenticated endpoints at the ingress layer to slow exploitation attempts.
- Apply Kubernetes resource limits to the Rancher Manager pods so that an OOM event is isolated and recovers automatically.
# NGINX Ingress example: cap request body size for the Rancher host
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: rancher
annotations:
nginx.ingress.kubernetes.io/proxy-body-size: "2m"
nginx.ingress.kubernetes.io/limit-rps: "20"
nginx.ingress.kubernetes.io/limit-connections: "10"
spec:
rules:
- host: rancher.example.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: rancher
port:
number: 443
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
