Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2025-30373

CVE-2025-30373: Graylog Auth Bypass Vulnerability

CVE-2025-30373 is an authentication bypass flaw in Graylog that allows unauthorized message ingestion despite authentication checks. This article covers the technical details, affected versions, and mitigation strategies.

Updated:

CVE-2025-30373 Overview

CVE-2025-30373 is an authentication bypass vulnerability affecting Graylog, a free and open-source log management platform. Starting with version 6.1, Graylog's HTTP Inputs feature allows administrators to configure header-based authentication for HTTP-based log ingestion. However, a critical flaw exists where even when the authentication header is missing or contains an incorrect value, the log messages are still ingested into the system despite the server correctly returning an HTTP 401 Unauthorized response.

This vulnerability represents a significant security gap in log ingestion pipelines, as attackers could potentially inject malicious or fraudulent log data into Graylog instances without proper authentication, compromising log integrity and potentially facilitating log injection attacks.

Critical Impact

Unauthorized log ingestion allows attackers to inject arbitrary data into Graylog systems, potentially poisoning audit trails, hiding malicious activity, or flooding systems with fraudulent log entries.

Affected Products

  • Graylog versions 6.1 through 6.1.8
  • Graylog installations using HTTP-based inputs with header authentication
  • Any deployment relying on HTTP input authentication for access control

Discovery Timeline

  • 2025-04-07 - CVE-2025-30373 published to NVD
  • 2025-10-30 - Last updated in NVD database

Technical Details for CVE-2025-30373

Vulnerability Analysis

This vulnerability is classified under CWE-285 (Improper Authorization). The issue stems from a missing control flow statement in the HTTP handler that processes incoming log messages. When the authentication header validation fails, the server correctly sends an HTTP 401 Unauthorized response to the client, but critically fails to terminate the request processing flow. As a result, the log message continues through the ingestion pipeline and is stored in the Graylog database.

The vulnerability allows network-based attackers to bypass authentication controls without requiring any privileges or user interaction. While the confidentiality impact is limited, the integrity of the logging system is compromised as unauthorized data can be written to the log store.

Root Cause

The root cause is a missing return statement after sending the HTTP 401 response in the HttpHandler.java class. When the authorization header is blank or doesn't match the expected value, the handler correctly constructs and sends an unauthorized response, but then continues executing subsequent code that ingests the message. This is a classic example of improper control flow where error handling does not properly terminate the request lifecycle.

Attack Vector

The attack can be executed remotely over the network with low complexity. An attacker can simply send HTTP requests to the Graylog HTTP input endpoint without the required authentication header, or with an incorrect header value. Despite receiving a 401 response, the log data included in the request body will be processed and stored. This enables:

  1. Log Injection Attacks - Injecting false log entries to mask malicious activity
  2. Log Poisoning - Corrupting log data integrity for compliance or forensic analysis
  3. Resource Exhaustion - Flooding the log store with unauthorized entries

The following patch demonstrates the fix applied to address this vulnerability:

java
             final String suppliedAuthHeaderValue = request.headers().get(authorizationHeader);
             if (isBlank(suppliedAuthHeaderValue) || !suppliedAuthHeaderValue.equals(authorizationHeaderValue)) {
                 writeResponse(channel, keepAlive, httpRequestVersion, HttpResponseStatus.UNAUTHORIZED, origin);
+                return;
             }
         }

Source: GitHub Commit 31bc13d

The fix adds a critical return statement that terminates request processing after sending the 401 response, preventing unauthorized message ingestion.

Detection Methods for CVE-2025-30373

Indicators of Compromise

  • Unexpected log entries appearing in Graylog from unrecognized sources
  • High volume of HTTP 401 responses in web server logs for Graylog HTTP input endpoints
  • Log entries with suspicious or anomalous content patterns that bypass normal ingestion validation
  • Discrepancies between HTTP access logs (showing rejected requests) and Graylog message counts (showing successful ingestion)

Detection Strategies

  • Monitor HTTP input endpoints for requests missing required authentication headers
  • Compare HTTP access log rejection counts against actual message ingestion rates
  • Implement anomaly detection for unusual log source patterns or message volumes
  • Review Graylog audit logs for message sources that should have been rejected

Monitoring Recommendations

  • Enable detailed HTTP access logging for all Graylog input endpoints
  • Set up alerts for authentication failures followed by successful message ingestion
  • Monitor for sudden increases in log volume from HTTP inputs
  • Implement log source allowlisting and monitor for unauthorized sources

How to Mitigate CVE-2025-30373

Immediate Actions Required

  • Upgrade Graylog to version 6.1.9 or later immediately
  • Disable HTTP-based inputs until patching is complete
  • Switch to authenticated pull-based inputs as an interim measure
  • Review recently ingested logs for signs of unauthorized injection

Patch Information

The vulnerability is fixed in Graylog version 6.1.9. The patch adds proper control flow termination after authentication failures in the HTTP handler. Organizations should upgrade to this version or later as soon as possible. The fix is available in commit 31bc13d3cd6f550ec83473d0f8666cd3ebf50f10.

For detailed information, see the GitHub Security Advisory GHSA-q7g5-jq6p-6wvx.

Workarounds

  • Disable all HTTP-based inputs and migrate to authenticated pull-based input methods
  • Implement network-level access controls (firewall rules, IP allowlisting) to restrict HTTP input endpoint access
  • Deploy a reverse proxy with additional authentication layers in front of Graylog HTTP inputs
  • Use VPN or private network segments to isolate Graylog HTTP input endpoints from untrusted networks
bash
# Configuration example - Disable HTTP inputs in Graylog
# Navigate to System > Inputs and disable all HTTP-based inputs
# Alternatively, use API to stop HTTP inputs:
curl -X DELETE "https://graylog-server:9000/api/system/inputs/{input-id}" \
  -H "X-Requested-By: CLI" \
  -u admin:password

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne