New: Corgea AI Pentesting — autonomous penetration testing in hours, not weeks
LOW 2.7 RubyGems

fluent-plugin-s3 Vulnerable to Denial of Service (DoS) via Decompression Bomb in `in_s3`

GHSA-xv9w-7v6q-hpjh · CVE-2026-44162

Published · Modified

Description

The fluent-plugin-s3 plugin (specifically the in_s3 input plugin) supports reading and decompressing heavily compressed files (such as gzip, lzma2, and lzop) from Amazon S3.
It was discovered that the plugin read the entire decompressed payload into memory at once without enforcing a strict size limit.

If an attacker has sufficient permissions to upload files to the monitored S3 bucket, they can upload a maliciously crafted, highly compressed file.
When Fluentd attempts to decompress this file, it will expand to an excessive size and it will consume significant system resources.

Impact

This vulnerability allows for a Denial of Service (DoS) attack via memory exhaustion.
The rapid memory consumption during decompression can lead to an Out-of-Memory kill of the Fluentd process by the operating system,
This results in the disruption of all log collection on the affected node.

Patches

v1.8.5

Workarounds

If an immediate upgrade is not possible, mitigate the risk by applying strict IAM access controls:

  1. Restrict Bucket Access
    • Ensure that write (PUT) access to the S3 bucket monitored by in_s3 is strictly limited to trusted services and administrators. Prevent any public or untrusted uploads to the S3 bucket.

Ready to move

Start Securing

Free, no credit card | First findings in minutes