Fluentd vulnerable to remote code execution due to insecure deserialization (in non-default configuration)
Description
Fluentd collects events from various data sources and writes them to files, RDBMS, NoSQL, IaaS, SaaS, Hadoop and so on. A remote code execution (RCE) vulnerability in non-default configurations of Fluentd allows unauthenticated attackers to execute arbitrary code via specially crafted JSON payloads. Fluentd setups are only affected if the environment variable FLUENT_OJ_OPTION_MODE is explicitly set to object. Please note: The option FLUENT_OJ_OPTION_MODE was introduced in Fluentd version 1.13.2. Earlier versions of Fluentd are not affected by this vulnerability. This issue was patched in version 1.15.3. As a workaround do not use FLUENT_OJ_OPTION_MODE=object.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Fluentd RCE vulnerability in non-default configurations allows unauthenticated attackers to execute arbitrary code via crafted JSON payloads when FLUENT_OJ_OPTION_MODE=object.
Vulnerability
Overview
CVE-2022-39379 is a remote code execution (RCE) vulnerability in Fluentd, an open-source data collector. The flaw resides in the Oj JSON parser when the environment variable FLUENT_OJ_OPTION_MODE is explicitly set to object. In this non-default configuration, the parser deserializes JSON payloads in a mode that can instantiate arbitrary Ruby objects, leading to code execution [1][2].
Exploitation
An unauthenticated attacker can exploit this vulnerability by sending a specially crafted JSON payload to a Fluentd instance that has FLUENT_OJ_OPTION_MODE=object set. The attack does not require authentication and can be delivered over any input source that accepts JSON, such as HTTP or TCP inputs. The vulnerability was introduced in Fluentd version 1.13.2 when the FLUENT_OJ_OPTION_MODE option was added [1].
Impact
Successful exploitation allows an attacker to execute arbitrary code on the host running Fluentd, potentially leading to full compromise of the logging infrastructure and access to sensitive data processed by Fluentd [1].
Mitigation
The issue is patched in Fluentd version 1.15.3. Users are strongly advised to upgrade. As a workaround, do not set FLUENT_OJ_OPTION_MODE=object; the default configuration is not affected [1][2].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
fluentdRubyGems | >= 1.13.2, < 1.15.3 | 1.15.3 |
Affected products
3- osv-coords2 versions
>= 1.13.2, < 1.15.3+ 1 more
- (no CPE)range: >= 1.13.2, < 1.15.3
- (no CPE)range: >= 1.13.2, < 1.15.3
- fluent/fluentdv5Range: >= 1.13.2, < 1.15.3
Patches
148e5b85dab1bRemove `object` from the available list of `FLUENT_OJ_OPTION_MODE`
1 file changed · +1 −1
lib/fluent/oj_options.rb+1 −1 modified@@ -11,7 +11,7 @@ class OjOptions ALLOWED_VALUES = { 'bigdecimal_load': %i[bigdecimal float auto], - 'mode': %i[strict null compat json rails object custom] + 'mode': %i[strict null compat json rails custom] } DEFAULTS = {
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
7- github.com/advisories/GHSA-fppq-mj76-fpj2ghsaADVISORY
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MYD5QV66OLDHES6IKVYYM3Y3YID3VVCO/mitrevendor-advisory
- nvd.nist.gov/vuln/detail/CVE-2022-39379ghsaADVISORY
- github.com/fluent/fluentd/commit/48e5b85dab1b6d4c273090d538fc11b3f2fd8135ghsaWEB
- github.com/fluent/fluentd/security/advisories/GHSA-fppq-mj76-fpj2ghsaWEB
- github.com/rubysec/ruby-advisory-db/blob/master/gems/fluentd/CVE-2022-39379.ymlghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MYD5QV66OLDHES6IKVYYM3Y3YID3VVCOghsaWEB
News mentions
0No linked articles in our index yet.