Graylog’s HTTP input authentication flaw (CVE-2025-XXXX) allows message ingestion even when the `Authorization` header is missing or incorrect. When configured to validate headers for HTTP-based ingestion, Graylog 6.1.0 to 6.1.8 returns a `401 Unauthorized` response but still processes the message. This occurs due to improper validation logic in the HTTP input handler, where the authentication check fails but the payload is not discarded. Attackers can exploit this to inject unauthorized logs into the system despite appearing to be blocked.
DailyCVE Form:
Platform: Graylog
Version: 6.1.0-6.1.8
Vulnerability: Auth bypass
Severity: Moderate
Date: 2025-04-07
What Undercode Say:
Exploitation:
- Craft HTTP POST request to Graylog’s HTTP input endpoint:
curl -X POST http://<graylog-server>:9000/api/inputs -H "Content-Type: application/json" --data '{"message":"malicious log"}' - Observe `401` response but verify message is ingested.
Detection:
Check Graylog logs for unauthenticated submissions:
grep "HTTP input unauthorized but ingested" /var/log/graylog/server.log
Mitigation:
1. Upgrade to Graylog 6.1.9.
2. Disable HTTP inputs if unused:
graylog-ctl stop-input <input-id>
3. Restrict input sources via firewall:
iptables -A INPUT -p tcp --dport 9000 ! -s <trusted-ip> -j DROP
Code Fix (Patch Analysis):
Graylog 6.1.9 corrected the handler to discard unauthenticated messages:
if (!validHeader(request)) {
log.warn("Rejected unauthorized input");
return Response.unauthorized(); // Now discards payload
}
Monitoring:
Alert on unexpected log sources:
graylog-search "NOT source:<allowed-source>" --range=1h
References:
References:
Reported By: https://github.com/advisories/GHSA-q7g5-jq6p-6wvx
Extra Source Hub:
Undercode
