Advisories for Gem/Fluentd package

2026

Fluentd is Vulnerable to Remote Code Execution (RCE) via Arbitrary File Write in `${tag}` Placeholder

Fluentd allows dynamically constructing file paths using the ${tag} placeholder. It was discovered that validation for this placeholder was insufficient. If a Fluentd instance is configured to receive logs from untrusted sources and uses the ${tag} placeholder in file configurations (such as the path parameter in the out_file plugin), an attacker can inject path traversal characters (e.g., ../). When combined with certain formatting options, this vulnerability allows an attacker to …

Fluentd is Vulnerable to Exposure of Sensitive Information via Monitor Agent API

Fluentd's Monitor Agent plugin (in_monitor_agent) exposes internal metrics and plugin information via a REST API. It was discovered that the API response (/api/plugins.json and related endpoints) unintentionally includes internal instance variables of loaded plugins. If any plugins store sensitive information—such as database passwords, API keys, or cloud credentials—in its instance variables, this information may be exposed in plain text to any user or system that has HTTP access to the …

Fluentd is Vulnerable to Denial of Service (DoS) via Gzip Decompression Bomb in `in_http` and `in_forward`

Fluentd's in_http and in_forward plugins support receiving gzip-compressed data. While Fluentd correctly enforces size limits on the incoming compressed payloads (e.g., via body_size_limit or chunk_size_limit), it was discovered that there is no limit enforced on the size of the decompressed data. If a Fluentd instance is exposed to untrusted networks, an attacker can send a maliciously crafted, highly compressed payload. When Fluentd attempts to decompress this payload in memory, it …

2023
2022

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Fluentd collects events from various data sources and writes them to files, RDBMS, NoSQL, IaaS, SaaS, Hadoop and so on. A remote code execution (RCE) vulnerability in non-default configurations of Fluentd allows unauthenticated attackers to execute arbitrary code via specially crafted JSON payloads. Fluentd setups are only affected if the environment variable FLUENT_OJ_OPTION_MODE is explicitly set to object. Please note: The option FLUENT_OJ_OPTION_MODE was introduced in Fluentd version 1.13.2. Earlier …

2021

Uncontrolled Resource Consumption

Fluentd collects events from various data sources and writes them to files to help unify logging infrastructure. The parser_apache2 plugin in Fluentd suffers from a regular expression denial of service (ReDoS) vulnerability. A broken apache log with a certain pattern of string can spend too much time in a regular expression, resulting in the potential for a DoS attack. There are two workarounds available. Either don't use parser_apache2 for parsing …

2017