CVE-2025-30373: Graylog's Authenticated HTTP inputs ingest message even if Authorization header is missing or has wrong value

April 7, 2025 (updated May 7, 2025)

Starting with 6.1, HTTP Inputs can be configured to check if a specified header is present and has a specified value to authenticate HTTP-based ingestion. Unfortunately, even though in cases of a missing header or a wrong value the correct HTTP response (401) is returned, the message will be ingested nonetheless.

References

github.com/Graylog2/graylog2-server
github.com/Graylog2/graylog2-server/commit/31bc13d3cd6f550ec83473d0f8666cd3ebf50f10
github.com/Graylog2/graylog2-server/security/advisories/GHSA-q7g5-jq6p-6wvx
github.com/advisories/GHSA-q7g5-jq6p-6wvx
nvd.nist.gov/vuln/detail/CVE-2025-30373

Code Behaviors & Features

Detect and mitigate CVE-2025-30373 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →