Elasticsearch is vulnerable to a stack overflow due to improper handling of deeply nested GeometryCollection objects in Well-KnownText (WKT) formatted strings. When parsing a maliciously crafted WKT string containing excessive recursion, Elasticsearch fails to enforce depth limits, leading to a stack exhaustion crash. This affects versions 7.17.0 through 7.17.23 and 8.0.0-alpha1 through 8.15.0. Attackers could exploit this by submitting a specially crafted query, causing denial of service (DoS).
The vulnerability occurs in the `org.elasticsearch:elasticsearch` library during WKT parsing. The parser recursively processes nested GeometryCollections without proper stack depth validation. Each recursive call consumes stack space, and excessive nesting depletes available memory, crashing the JVM. Patched versions (7.17.24, 8.15.1) enforce recursion limits.
DailyCVE Form:
Platform: Elasticsearch
Version: 7.17.0-8.15.0
Vulnerability: Stack Overflow
Severity: Moderate
Date: Apr 9, 2025
What Undercode Say:
Exploitation:
- Craft a malicious WKT string with nested GeometryCollections:
GEOMETRYCOLLECTION(GEOMETRYCOLLECTION(GEOMETRYCOLLECTION(...)))
2. Send via Elasticsearch query:
curl -XPOST "http://target:9200/_search" -H 'Content-Type: application/json' -d '{
"query": {
"geo_shape": {
"location": {
"shape": "MALICIOUS_WKT_STRING"
}
}
}
}'
Mitigation:
1. Upgrade to patched versions:
For 7.x bin/elasticsearch-plugin install --upgrade org.elasticsearch:[email protected] For 8.x bin/elasticsearch-plugin install --upgrade org.elasticsearch:[email protected]
2. Apply input validation for WKT strings:
// Java snippet to limit recursion depth
public void parseWKT(String wkt) {
int maxDepth = 50;
validateRecursionDepth(wkt, maxDepth);
}
Detection:
1. Monitor logs for stack overflow errors:
grep -i "stackoverflow" /var/log/elasticsearch/elasticsearch.log
2. Use Elasticsearch API to check version:
curl -XGET "http://localhost:9200"
Workaround:
- Disable geo_shape queries if unused:
elasticsearch.yml script.allowed_types: none
References:
References:
Reported By: https://github.com/advisories/GHSA-5xm9-x7x4-4j5x
Extra Source Hub:
Undercode
