CVE-2024-50609

CVE-2024-50609 is a vulnerability discovered in Fluent Bit version 3.1.9, specifically affecting the OpenTelemetry input plugin. When the plugin is configured to listen on an IP address and port, sending a specially crafted packet with a Content-Length header set to 0 triggers a server crash. This stems from improper handling of zero-length Content-Length values, leading to a NULL pointer dereference in the cfl_sds_len function, which attempts to cast a NULL pointer to a struct cfl_sds. The issue occurs in the process_payload_traces_proto_ng() function within opentelemetry_prot.c and is classified under CWE-476 (NULL Pointer Dereference).

The vulnerability enables a remote denial-of-service attack against any attacker who can reach the exposed OpenTelemetry endpoint over the network. Exploitation requires no privileges, authentication, or user interaction, with low complexity, as confirmed by the CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). Successful exploitation crashes the Fluent Bit server, disrupting logging and telemetry processing without impacting confidentiality or integrity.

Mitigation details are available in official advisories and patches from the Fluent Bit project. Security practitioners should consult the announcement at https://fluentbit.io/announcements/, release notes at https://github.com/fluent/fluent-bit/releases, and additional analysis at https://www.ebryx.com/blogs/exploring-cve-2024-50608-and-cve-2024-50609 for upgrade instructions and workarounds. The CVE was published on 2025-02-18.